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1. INTRODUCTION 

At the heart of all the techniques that have been proposed for exploring infinite state 
spaces, is a symbolic representation that can finitely represent infinite sets of states. 
In early work on the subject, this representation was domain specific, for example 
linear constraints for sets of real vectors. For several years now, the idea that a 
generic finite-automaton based representation could be used in many settings has 
gained ground, starting with systems manipulating queues and integers [Wolper 
and Boigelot 1995; Boigelot et al. 1997; Wolper and Boigelot 1998; 2000], then 
moving to parametric systems [Kesten et al. 1997], and, finally, reaching systems 
using real variables [Boigelot et al. 1998; Boigelot et al. 2001; 2005; Boigelot and 
Wolper 2002]. 

For exploring an infinite state space, one docs not only need a finite representation 
of infinite sets, but also techniques for finitely computing the effect of an unbounded 
number of transitions. Such techniques can be domain specific or generic. Domain 
specific techniques exploit the specific properties and representations of the do- 
main being considered and were, for instance, obtained for queues in [Boigelot and 
Godefroid 1996; Bouajjani and Habermehl 1997], for integers and reals in [Boigelot 
1999; Boigelot and Wolper 2002; Boigelot et al. 2003; Boigelot and Herbreteau 
2006; Finkel and Leroux 2002; Bardin et al. 2004; Bardin et al. 2005], for push- 
down system in [Finkel et al. 1997; Bouajjani et al. 1997], and for lossy channels 
in [AbduUa and Jonsson 1996]. Generic techniques consider finite-automata rep- 
resentations and provide algorithms that operate directly on this representation, 
mostly disregarding the domain for which it is used. 

Generic techniques appeared first in the context of the verification of systems 
whose states can be encoded by finite words, such as parametric systems. The 
idea used there is that a configuration being a finite word, a transition relation is 
a relation on finite words, or equivalently a language of pairs of finite words. If 
this language is regular, it can be represented by a finite state automaton, more 
specifically a finite-state transducer, and the problem then becomes the one of iter- 
ating such a transducer. Finite state transducers are quite powerful (the transition 
relation of a Turing machine can be modeled by a finite-state transducer), the flip 
side of the coin being that the iteration of such a transducer is neither always 
computable, nor regular. Nevertheless, there are a number of practically relevant 
cases in which the iteration of finite-state transducers can be computed and re- 
mains finite-state. Identifying such cases and developing (partial) algorithms for 
iterating finite-state transducers has been the topic, referred to as "Regular Model 
Checking", of a series of recent papers [Kesten et al. 1997; Bouajjani et al. 2000; 
Boigelot et al. 2003; 2004; Jonsson and Nilsson 2000; Bouajjani et al. 2004; Touih 
2001; Dams et al. 2002; AbduUa et al. 2003]. 

The question that initiated the work presented in this paper is, whether the 
generic techniques for iterating transducers could be fruitfully applied in cases in 
which domain specific techniques had been exclusively used so far. In particular, 
one of our goals was to iterate finite-state transducers representing arithmetic re- 
lations (sec [Boigelot and Wolper 2002] for a survey). Beyond mere curiosity, the 
motivation was to be able to iterate relations that are not in the form required by 
the domain specific results, for instance disjunctive relations. Initial results were 
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very disappointing: the transducer for an arithmetic relation as simple as {x,x + l) 
could not be iterated by existing generic techniques. However, looking for the roots 
of this impossibility through a mix of experiments and theoretical work, and taking 
a pragmatic approach to solving the problems discovered, we were able to develop 
an approach to iterating transducers that easily handles arithmetic relations, as well 
as many other cases. Interestingly, it is by using a tool for manipulating automata 
(LASH [LASH ]), looking at examples beyond the reach of manual simulation, and 
testing various algorithms that the right intuitions, later to be validated by theo- 
retical arguments, were developed. 

The general approach that has been taken is similar to the one of [Touili 2001] 
in the sense that, starting with a transducer T, wc compute powers of T and 
attempt to generalize the sequence of transducers obtained in order to capture its 
infinite union. This is done by comparing successive powers of T and attempting 
to characterize the difference between powers of T as a set of states and transitions 
that are added. If this set of added states, or increment, is always the same, it can 
be inserted into a loop in order to capture all powers of T. However, for arithmetic 
transducers comparing T* with T^+^ did not yield an increment that could be 
repeated, though comparing with did. So, a first idea we used is not to 

always compare and T*+^, but to extract a sequence of samples from the sequence 
of powers of the transducer, and work with this sequence of samples. Given the 
binary encoding used for representing arithmetic relations, sampling at powers of 2 
works well in this case, but the sampling approach is general and different sample 
sequences can be used in other cases. Now, if we only consider sample powers 
T'* of the transducers and compute T''-' , this is not necessarily equivalent to 
computing |Jj T*. Fortunately, this problem is easily solved by considering the 
reflexive transducer, i.e.. To = T U Tjd where Tid is the identity transducer, in 
which case working with an infinite subsequence of samples is sufficient. 

Once the automata in the sequence being considered are constructed and com- 
pared, and that an increment corresponding to the difference between successive 
elements has been identified, the next step is to allow this increment to be repeated 
an arbitrary number of times by incorporating it into a loop. There are some 
technical issues about how to do this, but no major difficulty. Once the result- 
ing "extrapolated" transducer has been obtained, one still needs to check that the 
applied extrapolation is safe (contains all elements of the sequence) and is precise 
(contains no more). An easy to check sufficient condition for the extrapolation to 
be safe is that it remains unchanged when being composed with itself. Checking 
preciseness is more delicate, but we have developed a procedure that embodies a 
sufficient criterion for doing so. The idea is to check that any behavior of the 
transducer with a given number k of copies of the increment, can be obtained by 
composing transducers with less than k copies of the increment. This is done by 
augmenting the transducers to be checked with counters and proving that one can 
restrict theses counters to a finite range, hence allowing finite-state techniques to 
be used. 

Taking advantage of the fact that our extrapolation technique works on automata, 
not just on transducers, we consider computing reachable states both by computing 
the closure of the transducer representing the transition relation, and by repeatedly 
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applying the transducer to a set of initial states. The first approach yields a more 
general object and is essential if one wishes to extend the method to the verification 
of temporal properties ([Bouajjani et al. 2000; Pnueli and Shahar 2000; AbduUa 
et al. 2004; Bouajjani ct al. 2004]), but the second is often less demanding from a 
computational point of view and can handle cases that are out of reach for the first. 
Preciseness is not always possible to check when working with state sets rather than 
transducers, but this just amounts to saying that what is computed is possibly an 
overapproximation of the set of reachable states, a situation which is known to be 
pragmatically unproblcmatic. 

Going further, the problem of using Regular Model Checking technique for sys- 
tems whose states arc represented by infinite (omega) words has been addressed. 
This makes the representation of sets of reals possible as described in [Boigelot et al. 
2001; Boigelot et al. 2003]. To avoid the hard to implement algorithms needed for 
some operations on infinite-word automata, only omega-regular sets that can be 
defined by weak deterministic Biichi automata [MuUcr et al. 1986] are considered. 
This is of course restrictive, but as is shown in [Boigelot et al. 2001; 2005], it is suf- 
ficient to handle sets of reals defined in the first-order theory of linear constraints. 
Moreover using such a representation leads to algorithms that are very similar to 
the ones used in the finite word case, and allows us to work with reduced determin- 
istic automata as a normal form. Due to these advantages and properties, one can 
show that the technique developed for the finite word case can directly be adapted 
to weak deterministic Biichi automata up to algorithmic modifications. 

Our technique has been implemented in a tool called T(0)RMC (Tool for (Omega- 
)Rcgular Model Checking), which has been tested on several classes of infinite-state 
systems. It is worth mentioning that the ability of T(0)RMC to extrapolate a 
sequence of automata has other applications than solving the ((jj-)Regular Reach- 
ability Problems. As an example, the tool has been used in a semi-algorithm to 
compute the convex hull of a set of integer vectors [Cantin et al. 2007; 2008]. 
T(0)RMC was also used to compute a symbolic representation of the simulation 
relation between the states of several classes of infinite-state systems with the aim 
of verifying temporal properties [Bouajjani et al. 2004]. 

Structure of the paper. The paper is structured as follows. In Section 2, we 
recall the elementary definitions on automata theory that will be used through- 
out the rest of the paper. Section 3 introduces counter-word automata^ a class 
of counter automata that will be used by our preciseness technique. Section 4 
presents the (w-)Regular Model Checking framework as well as the problems we 
want to solve. Sections 5, 6, 7, 8, and 9 describe our main results. Implementation 
and experiments are discussed in Section 10. Finally, Sections 11 and 12 contain 
a comparison with other works on the same topic and several directions for future 
research, respectively. 

2. BACKGROUND ON AUTOMATAA THEORY 

In this section, we introduce several notations, concepts, and definitions that will 
be used throughout the rest of this paper. The set of natural numbers is denoted 
by N, and No is used for N \ {0}. 
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2.1 Relations 

Consider a set S, a set 5*1 C S, and two binary-'^ relations i?i,i?2 Q S x S. 
The identity relation on S, denoted Rf^ (or Rid when S is clear from the context) 
is the set {(s, s)|s £ 5*}. The image of 5*1 by Ri, denoted Ri{Si), is the set 
{s' E Si I (3s e Si){{s,s') E Ri)}- The composition of Ri with i?2, denoted 
i?2 o Ri, is the set {(s,s') | (3s")((s,s") G i?i A (s",s') G R2)}. The tth po'u;er of 
Ri {i E No), denoted R\, is the relation obtained by composing Ri with itself i 
times. The zero-power oi Ri, denoted corresponds to the identity relation. The 
transitive closure of Ri, denoted R^ , is given by IJ*Z^°° R\, its reflexive transitive 
closure, denoted R* , is given by R^ U Rf^. The domain of denoted Dom{Rj), 
is given by {s G 5 I (3s' G 5)((s, s') G i?i)}. 

2.2 Words and Languages 

An alphabet is a (nonempty) finite set of distinct symbols. A finite word of length 
n over an alphabet E is a mapping w : {0, . . ., n — Ij-^E. An infinite word , also 
called word, over S is a mapping w : N-^E. We denote by the term word either 
a finite word or an infinite word, depending on the context. The length of the finite 
word w is denoted by |t«|. A finite word w of length n is often represented by 
w = w(0) - ■ ■w{n — 1). An infinite word w is often represented by z/;(0)w(l)- • • . The 
sets of finite and infinite words over E are denoted by E* and by E'^, respectively. 
We define E°° = E* U E'^. A finite-word (respectively infinite-word) language over 
E is a (possibly infinite) set of finite (respectively, infinite) words over E. Consider 
Li and L2, two finite-word (resp. infinite-word) languages. The union of Li and 
^2, denoted Li U L2, is the language that contains all the words that belong either 
to Li or to L2- The intersection of Li and L2, denoted Li 0^2, is the language that 
contains all the words that belong to both Li and ^2- The complement of Li, de- 
noted Li is the language that contains all the words over E that do not belong to Li. 

We alos introduce synchronous product and projection, which are two operations 
needed to define relations between languages. 

Definition 2.1. Consider Li and L2 two languages over E. 

— If Li and L2 are finite-word languages, the synchronous product L1XL2 of Li 
and L2 is defined as follows 

L1XL2 = {{wiO),wiOy). . .iw{n),w{ny) \ 
w = w(0)w(l). . .w{n) E LiAw' = w(0)'u;(l)'. . .win)' E L2}. 

— If Li and L2 are w-languages, the synchronous product L1XL2 of Li and L2 is 
defined as follows 

L1XL2 = {iw{o),w{oy){w{i),w{iy)- ■ ■ \ 

w = w(0)w(l). . . G Li A w' = w{Oyw{iy- ■ ■ E L2}. 
The language L1XL2 is defined over the alphabet E^. 



The term "binary" will be dropped in the rest of the paper. 

ACM Transactions on Computational Logic, Vol. V, No. N, 20YY. 



6 • A. Legay, and P. Wolper 



Definition 2.1 directly generalizes to synchronous products of more than two lan- 
guages. Given two finite (respectively, infinite) words wi,W2 (with — \w2\ if 
the words are finite) and two languages Li and L2 with Li = {w'l} and L2 = {^2}, 
we use u'iXz/;2 to denote the unique word in LixL2- 

Definition 2.2. Suppose L a language over the alphabet S" and a natural 1 < i <n. 
The projection of L on all its components except component i, denoted n^i(L), is 
the language L' such that 

n^i(i) = {wiX . . . XWi-iXWi+iX . . . XWn \ 
(3wi){wiX . . . XWi^iXWiXWi+iX . . . XWn G L)}. 

2.3 Automata 

Definition 2.3. An automaton over S is a tuple A = [Q, E, Qqj ^7 F)i where 

— Q is a finite set of states, 

— E is a finite alphabet, 

— Qo ^ Q is the set of initial states , 

— A C QxExQisa finite transition relation, and 

— F C Q is the set of accepting states (the states in Q \ are the nonaccepting 
states). 

Let A = {Q, E, Qo, A, F) be an automaton. If (gi, a, (72) G A, then we say that 
there is a transition from qi (the origin) to (72 (the destination) labeled by a. We 
sometimes abuse the notations, and write 52 £ A(qi,a) instead of (gi,a, (72) £ A. 
Two transitions {qi, a, (72), (93, 94) G A are consecutive if 52 = 93- Given two states 
q,q' G Q and a finite word t« G E*, we write {q,w,q') £ A* if there exist states 
qo,..., qk-i and i«o, • ■ • , Wk-2 e S such that go = 9, 9fc-i = q',w = wqWi ■ ■ ■ Wk-2, 
and {qi, Wi, qi+i) G A for all < i < A: — 1. Given two states q, q' G Q, we say that 
the state q' is reachable from g in yl if (g, a, q') G A*. The automaton A is complete 
if for each state q £ Q and symbol a G E, there exists at least one state q' £ Q 
such that (g, a, q') G A. An automaton can easily be completed by adding an extra 
nonaccepting state. 

A finite run of A on a finite word w : {0, . . ., n— 1}^E is a labeling p : {0, . . ., 
such that p(0) G Qo, and (VO <i < n - l){{p{i),w{i), p{i + 1)) G A). A finite run p 
is accepting for w if p{n) G F. An infinite run of A on an infinite word w : N— >E 
is a labeling p : N-^Q such that p(0) G Qo, and {WO <i){{p{i),w{i), p{i + 1)) G A). 
An infinite run p is accepting for w if inf{p) C] F ^ ^, where inf{p) is the set of 
states that are visited infinitely often by p. 

We distinguish between finite-word automata that are automata accepting finite 
words, and Biichi automata that are automata accepting infinite words. A finite- 
word automaton accepts a finite word w if there exists an accepting finite run for 
w in this automaton. A Biichi automaton accepts an infinite word w if there exists 
an accepting infinite run for w in this automaton. The set of words accepted by 
A is the language accepted by A, and is denoted L{A). Any language that can be 
represented by a finite-word (respectively, Biichi) automaton is said to be regular 
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(respectively, to-regular). 

The automaton A may behave nondetcrministicaly on an input word, since it may 
have many initial states and the transition relation may specify many possible tran- 
sitions for each state and symbol. If jQol = 1 and for all state qi € Q and symbol 
a S S there is at most one state 92 S Q such that (gi, a, (72) G A, then A is deter- 
ministic. In order to emphasize this property, a deterministic automaton is denoted 
as a tuple {Q,'E,qo,S,F), where qo is the unique initial state and S : Q x ^ Q 
is a partial function deduced from the transition relation by setting S{qi,a) = q2 
if (91, a, 92) S A. Operations on languages directly translate to operations on au- 
tomata, and so do the notations. 

One can decide wcither the language accepted by a finite-word or a Biichi automaton 
is empty or not. It is also known that finite- word automata arc closed under deter- 
minization, complementation, union, projection, and intersection [Hopcroft 1971]. 
Moreover, finite-word automata admit a minimal form, which is unique up to iso- 
morphism [Hopcroft 1971]. 

Though the union, intersection, synchronous product, and projection of Biichi au- 
tomata can be computed efficiently, the complementation operation requires in- 
tricate algorithms that not only are worst-case exponential, but are also hard to 
implement and optimize (see [Vardi 2007] for a survey). The core problem is that 
there are Biichi automata that do not admit a deterministic/minimal form. To 
working with infinite-word automata that do own the same properties as finite- 
word automata, wc will restrict ourselves to weak automata [MuUcr ct al. 1986] 
defined hereafter. 

Definition 2.4. For a Biichi automaton A ~ (E, Q, ^) to be weak, there 
has to be partition of its state set Q into disjoint subsets Qi, . . . , Qm such that for 
each of the Qi, cither Qi C F, or QiC] F = 0, and there is a partial order < on the 
sets Qi, . . . , Qm such that for every q G Qi and q' G Qj for which, for some a S S, 
q' G S{q,a) [q' = 5(q,a) in the deterministic case), Qj < Qi. 

A weak automaton is thus a Biichi automaton such that each of the strongly con- 
nected components of its graph contains cither only accepting or only non-accepting 
states. 

Not all ti;-regular languages can be accepted by deterministic weak Biichi automata, 
nor even by nondeterministic weak automata. However, there are algorithmic ad- 
vantages to working with weak automata : deterministic weak automata can be 
complemented simply by inverting their accepting and non-accepting states; and 
there exists a simple dctcrminization procedure for weak automata [Safra 1992], 
which produces Biichi automata that arc deterministic, but generally not weak. 
Nevertheless, if the represented language can be accepted by a deterministic weak 
automaton, the result of the dctcrminization procedure will be inherently weak ac- 
cording to the definition below [Boigelot et al. 2001] and thus easily transformed 
into a weak automaton. 
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Definition 2.5. A Biichi automaton is inherently weak if none of the reachable 
strongly connected components of its transition graph contain both accepting (vis- 
iting at least one accepting state) and non-accepting (not visiting any accepting 
state) cycles. 

This gives us a pragmatic way of staying within the realm of deterministic weak 
Biichi automata. We start with sets represented by such automata. This is pre- 
served by union, intersection, synchronous product, and complementation opera- 
tions. If a projection is needed, the result is determinized by the known simple 
procedure. Then, either the result is inherently weak and we can proceed, or it is 
not and we are forced to use the classical algorithms for Biichi automata. The latter 
cases might never occur, for instance if we are working with automata representing 
sets of reals definable in the first-order theory of linear constraints [Boigelot et al. 
2001]. 

A final advantage of weak deterministic Biichi automata is that they admit a min- 
imal form, which is unique up to isomorphism [Loding 2001]. 

2.4 Relations on Automata States 

We will also use the following definitions. 

Definition 2.6. Given two automata Ai = (Qi, Si, Qoi: ^i: ^i) s^nd A2 = {Q2, 
E2, Q02, A2, F2), we define 

— the forward equivalence relation Ej, Q Qi x Q2, which is an equivalence relation 
on states of Ai and A2 with ((71,(72) G Ef iS L^^{Ai) = L^^{A2); 

— the backward equivalence relation Ef, ^ QiX Q2, which is an equivalence relation 
on states of A with ((71,(72) £ E^ iff i^'„,(Ai) = i^'„,(A2). 

Definition 2.7. Given two automata Ai = (Qi, E, Qoi, Ai, Fi) and A2 = {Q2,'^, 
Q02, A2, F2)t & relation R C Qi x Q2 is an isomorphism between Ai and A2 if and 
only if 

— R is a bijection. 

— for each a e (i;u{e}) and qi,q2 e Qi, ((71, a, 92) £ Ai ^ (-R((7i), a, -^((72)) e A2, 
—for each {q,q') £ R, q e Qoi ^ q' £ Q02, 
—for each {q,q') £ R, q e Fi ^ q' e F2. 

2.5 Transducers 

In this paper, we will consider relations that are defined over sets of words. We use 
the following definitions taken from [Nilsson 2001]. For a finite- word (respectively, 
infinite- word) language L over S", we denote by [L\ the finite- word (respectively, 
infinite- word) relation over E" consisting of the set of tuples (wi, ■W2, ■ ■ Wn) such 
that ti;iXu'2X . . . xwn is in L. The arity of such a relation is n. Note that for 
n = 1, we have that L ~ [LJ. The relation Rid is the identity relation, i.e., 
Rid = {(wi: W2, ■ ■ ., Wn)\wi = W2 = ■ ■ ■ = Wn}- A relation R defined over E" is 
(uj-)regular if there exists a (w-)regular language L over E" such that [Lj = R. 
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Fig. 1. A transducer for [x, x + 1) U [x, x). The initial state of the automaton is colored in gray, 
and the final state is surrounded by a double circle (this convention will be followed throughout 
the rest of the paper). 

We now introduce transducers that are automata for representing (ti;-)regular rela- 
tions over S^. 

Definition 2.8. A transducer over is an automaton T over given by (Q, S^, 
Qo, A, F), where 

— Q is the finite set of states, 

— is the finite alphabet, 

— Qo C Q is the set of initial states, 

— A : Q X E'^ X Q is the transition relation, and 

— F C Q is the set of accepting states (the states that are not in F are the 
nonaccepting states). 

Given an alphabet E, the transducer representing the identity relation over E^ 
is denoted (or Tid when E is clear from the context). All the concepts and 
operations defined for finite automata can be used with transducers. The only 
reason to particularize this class of automata is that some operations, such as 
composition, are specific to relations. In the sequel, we use the term "transducer" 
instead of "automaton" when using the automaton as a representation of a relation 
rather than as a representation of a language. We sometimes abuse the notations 
and write (^1,^2) G T instead of {wi,W2) G [i(T)J. Given a pair {wi,W2) G T, 
wi is the input word, and W2 is the output word. The transducers we consider here 
are often called structure-preserving. Indeed, when following a transition, a symbol 
of the input word is replaced by exactly one symbol of the output word. 

Example 2.9. If positive integers are encoded in binary with an arbitrary num- 
ber of leading 's allowed, and negative numbers are represented using 2 's comple- 
ment allowing for an arbitrary number of leading 1 's, the transducer of Figure 1 
represents the relation {x, a; + 1) U [x, x) (see [Boigelot and Wolper 2002] for a full 
description of the encoding). 

Given two transducers Ti and T2 over the alphabet E that represents two rela- 
tions Ri and R2, respectively. The composition of Ti by T2, denoted T2 o Ti is the 
transducer that represents the relation R20R1. We denote by TI {i G No) the trans- 
ducer that represents the relation R\. The transitive closure of T is T"*" = [J'^i T^', 
its reflexive transitive closure is T* ~ U Tid- The transducer T is reflexive if 
and only if L[Tid) C L(T). Given an automaton A over E that represents a set 
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S', we denote by T(A) the automaton representing the image of A by T, i.e., an 
automaton for the set R{S). 

Let Ti and T2 be two finite-word (respectively, Biichi) transducers defined over 
and let A be a finite-word automaton (respectively. Biichi) automaton de- 
fined over E. We observe that T2 o Ti = 77^2 [(Ti x 7;^) n {T^xT2)] and T{A) = 
7T^i\{A^ xT,) n T], where A^ is an automaton accepting S* (respectively, E'^). As 
a consequence, the composition of two finite- word ((weak) Biichi) transducers is a 
finite-word transducer. However, the composition of two deterministic weak Biichi 
transducer is a weak Biichi transducer whose deterministic version may not be 
weak. A same observation can be made about the composition of a transducer 
with an automaton. 

3. COUNTER AUTOMATA 

We introduce counter-word automata, a class of automata whose states arc aug- 
mented by a vector of counters. Counter-word automata are intended to be used 
in our procedure for checking the preciseness of an extrapolation. All the concepts 
presented in this section are thus developped for this purpose. 

3.1 Definitions 

We start with the definition of a counter automaton. 

Definition 3.1. A counter- word automaton (counter automaton for short) over 
an alphabet E is a tuple Ac = (n, c, Q, E, Qo, A, F), where 

— n G N is the counter dimension of A, 

— c = (ci, . . ., c„) is a vector of counters whose values range over the natural num- 
bers. A counter valuation v £ N" for c is a vector of natural numbers, where the 
ith component of v assigns a value to Ci, 

— Q is a set of states (unless stated otherwise, Q is assumed to be finite), 

— E is a finite alphabet, 

— Qo C Q is a set of initial states, 

— A C Q X (E X N") X Q is a finite transition relation, and 
— F C Q is a set of accepting states. 

Let Ac = (n, c, Q, E, Qoi A, F) be a counter automaton. If (qi, (a, v), (72) G A, 
then we say that there is a transition from qi (the origin) to q2 (the destination) 
labeled by a, and associated to the counter valuation v. The initial value of each 
counter is 0, and each time a transition is followed, the current values of the coun- 
ters are incremented with the counter valuation associated to the transition. Given 
a counter automaton Ac = (n, c, Q, E, Qo, A, i^), the maximal increment value of 
Ac is the smallest d G N such that A C Q x (E x [0, d]") x Q. Counter automata 
being finite structures, the maximal increment value can always be computed by 
enumerating the elements of the transition relation. As finite automata, counter 
automata are graphically represented with edge-labeled directed graphs. We em- 
phasize the counter increment vector associated to each transition by preceding it 
with the symbol . 
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Our aim is to associate counter valuations to the words accepted by a counter 
automaton. For doing so, we first define a notion of accepted language that does 
not take the counters into account. We propose the following definition. 

Definition 3.2. Let — {n,c,Q,Y.,QQ, A, F) be a counter automaton. The 
counterless automaton corresponding to is the finite automaton A = (Q, E, Qo, 
A',F), where 

A' = {(g, a, g') e 0' X S X Q' I (3v e N")((g, (a, v), g') G A)}. 

Definition 3.3. The language accepted by a counter automaton Ac, denoted 
L{Ac), is the language accepted by its corresponding counterless automaton. If 
w e L{Ac), then we say that w is accepted by A^. 

We now describe how and when a counter automaton can assign counter values 
to the words it accepts. Let A^ = (n, c, Q, S, Qqj ^) be a counter automaton. 
Assume first that A^ describes a set of finite words. A run of A^, on a finite word 
w : {0, . . ., m - 1}— >I] is a labeling p : {0, . . . , to} —> (Q x N") such that 

(1) p(0) G (Qo X 0), and 

(2) (VO < i < m — 1), p(i + 1) = (fZi+i, Vi_|_i) if and only if p{i) = ((Zi,Vi) and 
there exists (g^, v), qi+i) G A with Vj+i = Vj + v. 

Let p(m — 1) = ((7/ x {v}). If qf G F, then we say that p is an accepting run and 
that w is accepted by Ac with the counter valuation v. Otherwise p is rejecting for 
w. The automaton A^ being a finite-word automaton, we can always associate at 
least one counter valuation to each word w G L{Ac). Observe that if the counter- 
less automaton of A^ behaves non deterministically on w, then this word may be 
associated to several counter valuations. There can be accepting and nonaccepting 
runs that assign the same counter valuation to w. 

We now switch to the case of infinite words. A run of A^ on an infinite word 
w : N^S is a labeling p : N ^ (Q x N") such that 

(1) p(0) G (Qo X 0), and 

(2) (VO < i), p{i + 1) = Vi+i) if and only if p{i) — {qi,Vi) and there exists 
(g,;, (w(i), v),gi+i) G A with Vi+i = Vi + v. 

Contrary to the finite- word case, it is generally not possible to associate a counter 
valuation to p. Indeed, there could be the case that the counters are incremented 
an unbounded number of times. There are however sub-classes of infinite-word 
counter automata for which it is always possible to assign a counter valuation to 
each of its runs. This is illustrated with the following definition. 

Definition 3.4. Let A^. = (n,Q,'E,,QQ, A, F) be a weak Biichi counter automa- 
ton. We say that A^ is run-bounded if for each of its accepting strongly connected 
components S F and states 91, 52 G 5, any transition that goes from qi to q2 is 
associated with the counter valuation 0. 

The structure of a run-bounded weak Biichi counter automaton ensures that for 
each of its runs, after having followed a finite number of transitions, the values of 
the counters are no longer incremented. Hence, one can reason on a finite prefix 
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of the run to deduce its counter valuation. Let Ac — {n, Q, E, Qo, A, F) be a run- 
bounded weak Biichi counter automaton and p be one of its runs. We say that p is 
an accepting run and that w is accepted by A,, with the counter valuation v if and 
only if inf{p) fl (F x {v}) ^ 0, where inf{p) is the set of configurations that appear 
infinitely often in p. Otherwise p is rejecting for w. 

In the rest of this paper, we will only consider finite-word and run-bounded weak 
Biichi counter automaton. We can now define a notion of counter language, which 
takes the counters into account. 

Definition 3.5. The counter language of a counter automaton Ac, denoted C{Ac), 
is the set of pairs (w, v) such that w can be accepted by Ac with counter valuation 

V. 

Observe that the class of counter-word automata is particular with respect to 
existing classes of counter automata^ such as reversal bounded counter automata 
[Ibarra 1978], constraint automata [Henglein and Rehof 1998], Parikh automata 
[Klaedtke and Ruef5 2003], or weighted automata [Mohri 2003]. Indeed, counter- 
word automata use the counter part of the automaton to assign counter valuations 
to a word when this word is accepted by the automaton, rather than to restrict 
the language accepted by the automaton. Introducing constraints on the counters 
before the word is accepted'^ generally leads to more powerful models'* for which 
most problems are undecidable. The expressiveness of those models is not needed 
for the practical applications we considered in the paper. 

3.2 Graph-Based Operations 

In this section, the operations of intersection and composition defined for finite 
automata are extended to counter automata. We have the following definitions. 

Definition 3.6. Let Ac^ = (ni, Ci, Qi, S, Qm, Ai, _Fi) and Ac^ = ('t.2, C2, (52, S, 
(5o2, A2, -Pj) be two finite-word (respectively, run-bounded weak Biichi) counter 
automata. The counter-intersection between and Ac^ , denoted Pic Ac^ , is 
the finite-word (respectively, run-bounded weak Biichi) counter automaton Ac = 
{ni +n2,ci X C2,(5,S,Qo, A,i^) with L{Ac) = i(^ci) n i(AcJ and C{Ac) = 
{(«;,v) e X N"i+"^ I (3(u;,vi) e £(A,J)(3(w;, V2) £ /:(A,J)(v = vi x V2)}. 

Definition 3.7. Let Tc^ ~ (rii, Ci, Qi, S^, Qoi, Ai, Fi) and Tc^ = (fi2, C2, Q2, S^, 
(5o2, A2, -Fb) be two finite-word (respectively, run-bounded weak Biichi) counter 
transducers. The counter- composition of by Tc^, denoted Tc^ OcTc-^, is the 
finite-word (respectively, run-bounded weak Biichi) counter transducer Tc ~ (rii -I- 
n2,ciXC2,Q,E2,go,A,F), with L{Tc) = L{T2oTi) and C{Tc) = {{w,v) e x 
pjni+n. I (3(u;i,vi) e£(reJ)(3(«;2,V2) e£(T,J)(v = Vi X V2A?z; = ?i;2 0ti;i)}. 

Definition 3.8. Let Ti = (Qi, S^, Qoi, Ai, i^i) be a finite-word (respectively, 
run-bounded weak Biichi) transducer, and Ac^ — (ri,2, C2, (52, S, Q02, A2, F2) be 
a finite-word (respectively, run-bounded weak Biichi) counter automaton. The 



^As an example, we cannot test the values of the counters. 

^As an example, one could associate constraints on each transition. 

^ As an example, models that can recognize nonrcgular languages [Klaedtke and RucB 2003] . 
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counter-image of Ac^ by Ti, denoted TilAc^), is the finite- word (respectively, Biichi) 
counter automaton Ac = (712, C2, Q, S, Qo, A, F), where L{Ac) ~ L{Ti{Ac2)) and 
£(A,) = {Kv2) G xN"= I (3«;i e L(ri)) (3(^-2, V2) G = u>2 o 

3.3 Counter-Based Operations 

Let Ac be a n-dimensional counter automaton over the alphabet E, and d its max- 
imal increment value. The extended automaton of A^, denoted {AcY^ is the finite 
automaton (without counters) obtained from Ac by augmenting the label of each 
of its transitions with its corresponding counter valuation. We have the following 
definition. 

Definition 3.9. Let Ac = (n, c, Q, E, Qo, A, i^) be a counter automaton whose 
maximal increment value is d. The extended automaton corresponding to Ac is the 
finite automaton A ^ {Q,I]' ,Qq, A' , F), where 

— E' = E X [0,d]", and 

—A' = {{q, a\ q') eQ' xJ:' xQ' I (3v e N")((g, (a, v), q') e A /\ a' = a x v)}. 

A n-dimensional counter automaton over an alphabet E and whose maximal incre- 
ment value is d can be viewed as a finite automaton over an alphabet E x [0, d]" 
and, alternatively, a finite automaton over an alphabet S x [0, d]" can be viewed as 
a n-dimensional counter automaton over an alphabet E and whose maximal incre- 
ment value is d. The alphabet E x [0, d]" is referred to as the extended alphabet of Ac. 

If Ac is a finite-word counter automaton, then we say that it is universal if and 
only if L{{Acy) = (E x [0, d]")*. If Ac is a run-bounded weak Biichi counter 
automaton, then it is universal if and only if L{{Ac)'^) = (E x [0, d]")*(E x 0)'^. 

Definition 3.10. Consider two counter automata and Ac2 of same dimen- 
sions. The extended intersection (respectively, union) between and Ac2, de- 
noted Ac-^ De Ac2 (respectively, Ue ^02)1 is a counter automaton Ac such that 
[AcY = iAc.r n [AcY (respectively, {AcY = (A,J^ U (A,J^). 

The extended intersection (respectively, union) of two counter automata can eas- 
ily be computed by applying a classical intersection (respectively, union) algorithm 
to their extended version. We also have the following proposition. 

Proposition 3.11. The extended intersection/union of two run-bounded weak 
Biichi counter automata is a run-bounded weak Biichi counter automaton. 

Definition 3.12. Let A ~ (Q, E, Qo, A, F) be a finite-word (respectively, Biichi 
automaton), the counter- zero automaton corresponding to A is the one-dimensional 
counter automaton Ac = (1, ci, Q, E, Qo, A', F), where 

—A' = {{q, (a, 0), g') e Q X (S X 0) X Q | (g, a, q') G A}. 

The problem of testing the equivalence between counter languages is known to 
be undecidable for many classes of counter automata [Ibarra 1978], but decidability 
results exist for some very particular classes [Roos 1988]. The algorithms involved 
in those decidability results are known to be of high complexity and difficult to im- 
plement. Rather than trying to extend those results to counter-word automata, we 
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(b) Aa 



Fig. 2. Two finite-word counter automata. 

preferred to propose a sufficient criterion that can easily be implemented with sim- 
ple automata-based manipulations. Our criterion is formalized with the following 
proposition. 

Proposition 3.13. Let Ac-^ and Ac^ be two finite-word (respectively, Biichi) 
counter automata of same dimension. If L{A'^^_^) = L{A'^^^), then C{Ac-^) = C{Ac2)- 

There are of situations where ^ L{A^^), while C{Ac^) = C{Ac2)- 

Example 3.14. Consider the two finite-word counter automata Ac-^ and Ac^ 
given in Figure 2. The automaton AJ:^ does not accept the same language as A'^^ . 
However >C(AcJ = /^(Ac^)- 

The projection operation for finite automata extends to a counter projection for 
counter automata. We have the following definition. 

Definition 3.15. Let Ac ~ {n,c,Q,T,,Qo, A, F) be a counter automaton. For 
l<i<n, the projection of Ac w.r.t. counter c^, denoted H^aiAc) is the counter 
automaton A'^ = (n — 1, c', Q, S, Qq, A', F), where c' ~ (ci, . . ., Ci-i, Q+i, . . ., c„), 
L{Ac)=L{A'J, a.nd£{A'J = {(w,ciXC2) £ x N"-i | (Bcg £ N) 
((w,CiXC3XC2) G jC-{Ac))}. 

In the rest of the paper, we use the shortcut Tl^^^a C2 c„})(^) for 

n(^,,)(n(^,,)...(n(^,„)(A))...). 

We now present a methodology that given a counter automaton A, computes an- 
other counter automaton A' whose accepting words are those of A that satisfy 
counter constraints. We start with the following definition. 

Definition 3.16. Let Ac be a finite- word (respectively, run-bounded weak Biichi) 
n-dimensional counter automaton and 1 <i,j <n be an integer. We define (Ac)"^'^"^^ 
to be the counter automaton obtained from Ac by removing all the accepting runs 
that do not assign a greater value to c,; than to Cj. The automaton (Ac)'^''"^^ may 
have an infinite set of states since its language may not be regular. 

In the rest of the paper, we use the notation (Ac)^'^^^'^'^^' ' '^"''-' to denote 
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Let Ac be a finite-word (respectively, run-bounded weak Biichi) n-dimensional 
counter automaton over S and whose maximal increment value is c?. . A way 
to compute (Ac)'^^'''^^ could be to build a universal finite-word (respectively, run- 
bounded weak Biichi automaton) A^ defined over the same extended alphabet as 
Ac and then take the extended intersection between (A'^)'^'^'^^ and A'^. For any 
word w G T,* (respectively, w S S"), the automaton (^A^Y'-^'^^ contains all the 
accepting runs on w that satisfy the condition q > cj. Hence, taking the extended 
intersection between (^A^Y'-^'^i and Ac will remove from Ac all the accepting runs 
that do not satisfy > cj. However, since there is no bound on the difference be- 
tween the values of q and Cj before the word is accepted, the automaton (yl'^)'^'^'^J 
will have an infinite number of states. Indeed, there should be one state for each 
possible value of Ci — Cj . To avoid having to working with infinite-state automata, 
we impose a synchronization between the counters that need to be compared. As 
a consequence, we may not exactly compute {AcY^^'^^ but an automaton whose 
language and counter language are subsets of those of {AcY'^'^' . As we will see 
in Section 9, imposing this synchronization is sufficient for the applications we will 
consider. We have the following definition. 

Definition 3.17. Let Ac = (n, c, Q, E, Qo, A, F) be a finite-word (respectively, 
run-bounded weak Biichi) counter automaton and a synchronization bound M S N. 
Let Aci (a) denotes the difference between the value associated to the counter c; in 
the last and in the first state of the subrun a of a run p on w. The automaton Ac is 
M -synchronized with respect to the counters q and Cj if L{Ac) = L{AcY^'"^^ , and 
for each w € L{Ac) and each accepting run p on w, we have \\Acj{a) — Aci{a)\\ < 
M. 

Definition 3.18. The finite- word (respectively, run-bounded weak) counter au- 
tomaton A^'^^ = {n,c,Q,'E,Qo, A, F) is M— Universal-synchronized w.r.t. coun- 
ters Ci and Cj if and only if it is M— synchronized w.r.t. Ci and cj, and L(A*^'^) = E* 
(respectively, L(A*^^) = S"'). 

Rather than computing (Ac)^'^'^^, we propose to compute a M-synchronized au- 
tomaton whose language and counter language are subsets of those of {AcY^^'^^ . 
For this, we intersect Ac with a M -Universal-synchronized automaton. Observe 
that we can have a possibly infinite number of automata which are M— Universal- 
synchronized w.r.t. Ci and Cj. Clearly, when taking the extended intersection be- 
tween a counter automaton Ac and a M-Universal-synchronized automaton A'^^ 
defined over the same extended alphabet, we obtain an automaton which is M- 
synchronized and whose language and counter language are subsets of those of Ac- 
The requirement L{A'^^^) = E* (respectively, L(A*^^) = E") in Definition 3.18 is 
to make sure that accepting runs are removed from Ac only if they do not satisfy 
the constraints over Ci and Cj . 

4. THE (cj)-REGULAR MODEL CHECKING FRAMEWORK 

In this paper, we suppose that states of a system are encoded by words over a 
fixed alphabet. If the states are encoded by finite words, then sets of states can 
be represented by finite- word automata and relations between states by finite- word 
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transducers. This setting is referred to as Regular Model Checking \Kesien et al. 
1997; Wolper and Boigelot 1998]. If the states are encoded by infinite words, then 
sets of states can be represented by deterministic weak Biichi automata and re- 
lations between states by deterministic weak Biichi transducers. This setting is 
referred to as to -Regular Model C/iecfcOT(? [Boigelot et al. 2004]. Formally, a finite 
automata-based representation of a system can be defined as follows. 



Definition 4.1. A (uj-Jregular system for a system T = (S,So,R) is a triple 
M = (E,^,T), where 

— E is a finite alphabet over which the states are encoded as finite (respectively, 
infinite) words; 

— A is a deterministic finite- word (respectively, deterministic weak Biichi) automa- 
ton over S that represents So; 

— T is a deterministic finite-word (respectively, deterministic weak Biichi) trans- 
ducer over E^ that represents R. In the rest of the paper, T is assumed to be 
reflexive. 

In the finite-word case, an execution of the system is an infinite sequence of 
same-length finite words over S. The Regular Model Checking framework was 
first used to represent parametric systems [AbduUa et al. 2002; Bouajjani and 
Touih 2002; Kesten et al. 1997; AbduUa et al. 1999; Bouajjani et al. 2000; Kcstcn 
et al. 2002]. The framework can also be used to represent various other mod- 
els, which includes linear integer systems [Wolper and Boigelot 1995; 2000], FIFO- 
queues systems [Boigelot and Godefroid 1996], XML specifications [Bouajjani et al. 
2006; Touih and d'Orso 2006], and heap analysis [Bouajjani et al. 2005; Bouajjani 
et al. 2006]. 

As an illustration we give details on how to represent parametric systems. Let 
P be a process represented by a finite-state system. A parametric system for P is 
an infinite family S = {S'nj^Q of networks where for a fixed n, Sn is an instance 
of S, i.e., a network composed of n copies of P that work together in parallel. In 
the Regular Model Checking framework, the finite set of states of each process is 
represented as an alphabet E. Each state of an instance of the system can then 
be encoded as a finite word w = w^O). . .w(n — 1) over E, where w{i — 1) encodes 
the current state of the ith copy of P. Sets of states of several instances can thus 
be represented by finite- word automata. Observe that the states of an instance Sn 
are all encoded with words of the same length. Consequently, relations between 
states in S„ can be represented by binary finite-word relations, and eventually by 
transducers. 

Example 4.2. Consider a simple example of parametric network of identical 
processes implementing a token ring algorithm. Each of these processes can be 
either in idle or in critical mode, depending on whether or not it owns the unique 
token. Two neighboring processes can communicate with each other as follows: a 
process owning the token can give it to its right-hand neighbor. We consider the 
alphabet E = {N,T}. Each process can be in one of the two following .states : 
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T (has the token) or N (does not have the token). Given a word G S* with 
\w\ — n (meaning that n processes are involved in the execution), we assume that 
the process whose states are encoded in position w(0) is the right-hand neighbor of 
the one whose states are encoded in position w{n — 1). The transition relation can 
be encoded as the union of two regular relations that are the following: 

(1) {N,N)*{T,N){N,T){N,N)* to describe the move of the token from w{i) to 
w{i + 1) (with 0<i<n — 2), and 

(2) {N,T){N,N)*{T,N) to describe the move of the token from w{n - 1) to w{0). 

The set of all possible initial states where the first process has the token is given 
by TN*. 

In the infinite-word case, an execution of the system is an infinite sequence of 
infinite words over S. The w-Regular Model Checking framework has been used for 
handhng systems with both integer and real variables [Boigelot and Wolper 2002; 
Boigelot ct al. 2005], such as linear hybrid systems with a constant derivative (see 
examples in [Alur et al. 1995] or in [Bouajjani et al. 2004; Legay 2007]). 

It is known that verifying properties of systems in the (Lj-)Regular Model Check- 
ing framework generally reduces to solving the (uj-)Regular Reachability Prob- 
tems [Pnueh and Shahar 2000; Bouajjani et al. 2000; Boigelot et al. 2004; AbduUa 
et al. 2004; Legay 2007; Bouajjani et al. 2004] that are defined hereafter. 

Definition 4.3. Let A be a deterministic finite- word (respectively, deterministic 
weak Biichi) automaton, and T be a reflexive deterministic finite-word (respectively, 
deterministic weak Biichi) transducer. The (cL'-)Regular Reachability Problems for 
A and T are the following: 

(1) Computing T*(A): the goal is to compute a finite- word (respectively, weak 
Biichi) automaton representing T*{A). If A represents a set of states S and T 
a relation R, then T*{A) represents the set of states that can be reached from 
S by applying R an arbitrary number of times; 

(2) Computing T* : the goal is to compute a finite-word (resp. weak Biichi) trans- 
ducer representing the refiexive transitive closure of T. If T represents a subset 
of a power of a reachability relation R, then T* represents its closure. 

The ((jj-)Regular Reachability Problems are undecidable [Apt and Kozen 1986], 
but partial solutions exist. Studying those solutions is the subject of the rest of 
this paper. 

5. ON SOLVING (lj-)REGULAR REACHABILITY PROBLEMS 

Among the techniques to solve the (ci;-)Regular Reachability Problems, one distin- 
guishes between domain specific and generic techniques. Domain specific techniques 
exploit the specific properties and representations of the domain being considered 
and were for instance obtained for systems with FIFO-queues in [Boigelot and 
Godefroid 1996; Bouajjani and Habermehl 1997], for systems with integers and 
reals in [Boigelot 1999; Boigelot and Wolper 2002; Boigelot et al. 2003], for push- 
down systems in [Finkel et al. 1997; Bouajjani et al. 1997], and for lossy queues 
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in [AbduUa and Jonsson 1996]. Generic techniques [Kesten et al. 1997; Bouajjani 
et al. 2000; Jonsson and Nilsson 2000; Bouajjani et al. 2004; Boigelot ct al. 2003; 
2004; Touili 2001; Dams et al. 2002; AbduUa et al. 2003; Vardhan et al. 2004; 2005] 
consider automata-based representations and provide algorithms that operate di- 
rectly on these representations, mostly disregarding the domain for which it is used. 

In this paper, we propose a new generic technique to solving the (w-) Reachability 
Problems. We use the following definition. 

Definition 5.1. Given a possibly infinite sequence A^, , . . . of automata, the 
limit of this sequence is an automaton A* such that L{A*) = [JL{A^). 

Consider a transducer T and an automaton A. We first observe that the compu- 
tations of both T* and T*{A) can be reduced to the computation of the limit of 
a possibly infinite sequence of automata. Indeed, computing T* amounts to com- 
pute the limit of Ti^, T^, T^, T"^, . . . , and computing T*{A) amounts to compute 
the limit of A, T^{A), T^{A), T^{A), .... We propose a generic technique which 
can compute the limit of a sequence of automata by extrapolating one of its finite 
sampling sequence, i.e. selected automata from a finite prefix of the sequence. The 
extrapolation step proceeds by comparing successive automata in the sampling se- 
quence, trying to identify the difference between these in the form of an increment, 
and extrapolating the repetition of this increment by adding loops to the last au- 
tomaton of the sequence. After the extrapolation has been built, one has to check 
whether it corresponds to the limit of the sequence. If this is the case, the com- 
putation terminates, otherwise, another sampling sequence has to be chosen. This 
is a semi-algorithm since there is no guarantee that (1) we can find a sampling 
sequence that can be extrapolated, and (2) the result of the extrapolation will be 
the desired closure. 

The presentation of our solution is organized as follows. Section 6 discusses the 
choice of the sampling sequence. Section 7 presents a methodology to detect in- 
crements. Section 8 presents several extrapolation algorithms. Finally, Section 9 
introduces criteria to determine the correctness of the extrapolation. An imple- 
mentation of those results as well as some experiments are presented in Section 
10. 

6. CHOOSING THE SAMPLING SEQUENCE 

Choosing the sampling sequence is a rather tricky issue and there is no guarantee 
that this can be done in a way that ensures that the extrapolation step can be ap- 
plied. However, there are heuristics that are very effective for obtaining a sampling 
sequence that can be extrapolated. The following lemma shows that the sampling 
sequence can be selected quite arbitrarily, assuming that T is reflexive. 

Lemma 6.1. Let T be a reflexive transducer and A be an automaton. If s = 
Sq,si,S2,... is an infinite increasing subsequence of the natural numbers, then 
L{T*) = Ufc>o LiT'") «"^. similarly, L{T*{A)) = Ufc>o ^(^^'•(A)). 

Proof. The lemma follows directly from the fact that for any i > 0, there is an 
Sk e s such that Sk > i and that, since T is reflexive, (Vj < i){L{T^) C L{T^)) 
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(respectively, L{T^iA)) C L(r'(A))). □ 

As an example, for the cases of FIFO-queue, pushdown, and parametric systems, 
we observed that considering sample points of the form Sk = ak, where a G N is a 
constant, turns out to be very useful. For the case of arithmetic, we observed that 
the useful sampling points are often of the form Sk ~ ■ Sampling sequences with 
sampling points of the form = ak are called linear, while sampling sequences 
with sampling points of the form Sk = a^ are called exponential. 

Example 6.2. Figure 3 shows the minimal transducer of Example 2.9 composed 
with itself 2, 4, 8 and 16 times. The difference between the graphs for T** and 
takes the form of an increment represented by the set of states {2,6} in . This 
increment is repeated between and T^^ . Consequently, T^^ differs from by 
the addition of two increments represented by the sets {3,8} and {2, 7}. 

7. DETECTING INCREMENTS 

We consider a finite sequence , , , . . . , of finite automata that are either 
all finite- word automata or all weak Biichi automata. Those automata arc assumed 
to be deterministic and minimal. Our goal is to determine whether, for sufficiently 
large i, the automaton differs from A"^ by some additional constant finite- 

state structure. Our strategy, consists in comparing a finite number of successive 
automata until a suitable increment can be detected. 

For each z > 0, let = (Q% S, gg, i5*, i^'). To identify common parts between 
two successive automata A'^ and A^'^^ we first look for states of A'' and from 
which identical languages are accepted. Precisely, we compute a forward equiva- 
lence relation C x Q'"*"^ between A^ and A^^^. Since we are dealing with 
deterministic minimal automata, the forwards equivalence Ej- is one-to-one (though 
not total) and can easily be computed by partitioning the states of the joint au- 
tomaton ((5*UQ'~''\ gg, (5*U(5'+\ F'Ui^'+^) according to their accepted language. 
For finite- word automata, this operation is easily carried out by Hopcroft's finite- 
state minimization procedure [Hopcroft 1971]. For weak Biichi automata, one uses 
the variant introduced in [Loding 2001]. 

Remark 7.1. Note that because the automata arc minimal, the parts of A' and 
A'"*"^ linked by e( are isomorphic (see Definition 2.7), incoming transitions being 
ignored. 

Next, we search for states of A* and A'^'^^ that are reachable from the initial 
state by identical languages. Precisely, we compute a backward equivalence relation 
El C Q'- X Q*^^ between A^ and A'+^. Since A^ and are deterministic and 

minimal, the backwards equivalence E^ can be computed by forward propagation, 
starting from the pair (gg, (7q^^) and exploring the parts of the transition graphs of 
A^ and that are isomorphic to each other, if transitions leaving these parts 

are ignored. 

Remark 7.2. Note that because the automata are minimal, the parts of A^ and 
A*"*"^ linked by El are isomorphic, outgoing transitions being ignored. 

We now define a notion of finite-state increment between two successive au- 
tomata, in terms of the relations and El. 
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Fig. 3. Transducer of Example 6.2 at powers of two. 
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Fig. 4. Partitioning automata states. 

Definition 7.3. Let A' = {Q\ E, g^, S\ F') and A'+^ = (Q'+\ S, q^'^^ , S'+^ , F''+^) 
be two minimal finite-word (respectively, minimal weak Biichi) automata. Let El 
and be respectively, the backward and forward equivalences computed between 
and A'"''^. The automaton A'"*"^ is incrementally larger than A* if the relations 
Ej and E"^ cover all the states of A'^. In other words, for each q ^ Q"^, there must 
exist q' e (3'+^ such that {q,q') £ U £■}. 

If is incrementally larger than A', the increment consists of the states that 
are matched neither by Ej, nor by El. 

Definition 7.4. Let A* = {Q\T., q^^, S\ F') and A'+^ = (g*+\ E, 
be two minimal finite-word (respectively, minimal weak Biichi) automata. Let El 
and be respectively, the backward and forward equivalences computed between 
A- and If is incrementally larger than A*, then 

(1) the set can be partitioned into Q^}, such that 

— The set contains the states q covered by E'^p i.e., for which there exists 

g' such that (9,(7') £ Ey, 
— The set Q\ contains the remaining states. 

(2) The set Q'+i can be partitioned into {Q^^^ , Q'ta^ -.Q't^}-, where 
— The head part QJ^^ is the image by El of the set Ql; 

— The tail part Qlji'^ is the image by E'j: of the set Qj, dismissing the states 
that belong to (the intention is to have an unmodified head part); 

— The increment Q\^^ contains the states that do not belong to either Q]^^ or 
Q j^ ■ 

Definitions 7.3 and 7.4 are illustrated in Figure 4. 

Our expectation is that, when moving from one automaton to the next in the 
sequence, the increment will always be the same. We formalize this property with 
the following definition. 

Definition 7.5. Let Si = A\ A'+\ and for each < j < fc, let A+^ = 

{Q^~^^ jT,, q'o^-' , 6^^\ F^^^) be a finite-word (respectively, weak Biichi) automata. 
For each 0<j < k, let El'^-' and E^j^-' be respectively, the backward and the 
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forward equivalences computed between A^^^ and A^^^'^^. The sequence Sj is an 
incrementally growing sequence if 

— For each < j < fc, A*"''^ is minimal; 

— For each < j < fc — 1, is incrementally larger than ; 

— For each l<j<fc — 1, the head increment Q]'^-'^^ , which is detected between 
A^^^ and is the image by E^^-' of the increment Q]'^'' ■ 

Consider a subsequence Si = A^, . . . , of A-'^, . . . , A" that grows incre- 

mentally. For 2<j < n, the tail part Q^"* of will then consist of j — 1 copies of 
its head increment Qji+ plus a part that we will name the tail-end set. Precisely, 

Qlji'-' can be partitioned into {Q\^'' , Q/^"', • • ■ , Qt^''}^ where 

— For each 1<£ < j — 1, the tail increment Q\^'' is the image by the relation 

ii'^^"' ^ o Ej^^ ^ o • • ■ o E^j^'' ^ of the head increment Q/^"*^^; 
— The tail-end set Qj^"* contains the remaining elements of Q^''. 

Given an automaton A'''^^ in the sequence 5*/, we define its growing decomposition 
w.r.t. Si, denoted GROW ^s,M'^'), to be the ordered list {Q^^ {Q'lV ' ■ ■ ■ ' 
Q/^ii }' Qt'"'}- It is easy to see that the head increment Q/^"' of and all its 
tail increments Q/^"', ^ G [1, j — 1] appearing in its tail part Q^"* are images of the 
head increment Q]^^ detected between A^ and by a combination of forward 
and backward equivalences. This observation extends to all the automata in Si. 
Consequently the transition graphs internal^ to all increments of all the automata 
in the sequence are isomorphic to that of Q/^^, and hence arc isomorphic to each 
other. In the rest of the thesis, this isomorphism relation between two increments is 
called the increment isomorphism relation. Observe also that, since we are working 
with minimal automata, for each G [1, fc — 1] we have the following: 

— The head part Q'j^''^^ is the image by E^'^-' of the head part Q^"* . Consequently, 
the internal transition graphs of the head parts of all the automata in the sequence 
Si are isomorphic to each other. This isomorphism relation is called the head 
isomorphism relation; 

— The tail-end set Q^"*^^ is the image by of the tail-end set Q^"* . Conse- 

quently, the internal transition graphs of the tail-end sets of all the automata 
in the sequence Si arc isomorphic to each other. This isomorphism relation is 
called the tail-end set isomorphism relation. 

The situation is illustrated in Figure 5. 

Our intention is to extrapolate the last automaton of an incrementally grow- 
ing sequence of automata by adding more increments, following a regular pattern. 
In order to do this, we need to compare and characterize the transitions leaving 
different increments. 



^Thc transition graph only contains transitions between states of the increment. 
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Fig. 5. Automata in an incrementally growing sequence. 

Definition 7.6. Let A'+'' ^ (Q'+'=, E, g^^'', (5'+'=, be the last automaton of 

an incrementally growing sequence of automata Sj = A^, A'^'^^, .... Assume 
that GROW^s,){A+'') = {%+^ {<3]+^ • ■ ■ , 0;+^; }, Qt^"}- Then, an increment 
Qi+fe < a < fc — 1) is said to be communication equivalent to an increment 
Q}+'= (0 < /? < fc - 1) if and only if, for each pair of corresponding states (by the 

increment isomorphism) {q,q'), q G Q^^'^ and q' G Q^j^^ and a G E, we have that, 
either 

— ^'+'"((3', a) e Q}^*" and (5'+''((j', a) £ Q/^'', hence leading to corresponding states 

by the existing increment isomorphism between Q^^^ and Q^^J^ , or 
— a) and 5'^^^{q\a) are both undefined, or 

— 5^^^{q, a) and 5^^'^{q' , a) both leading to the same state of the tail end Q^*^, or 

— there exists some 7 > such that (5*+*'(g, a) and (5*+''(g', a) lead to corresponding 
states by the increment isomorphism between Q/^^'^ and Q/^^ (0 < a + 7, /? + 
7 < fc - 1). 

The definition easily generalizes to increments of different automata. 

Example 7.7. Consider the automaton of Figure 6, whose set of states is given 
by {0,1,2,3,4,5}. Assume that Q contains three increments that are Qig = {1}, 
Q/j = {2}, and Qi^ = {3}. The increments Qjg and Qi-^ are communication stable. 
The property does not hold for Qj^ and Qj^ since a transition labeled with c is not 
defined from states 3. 
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Fig. 6. An automaton for Definition 7.6. 

For the same reasons, we also need to compare the transitions leaving the head 
part of different automata in the sequence. 

Definition 7.8. Let A'+''-^ ^ (Q*+'=-\ S, f^^+'^-i, F^+'^-i) and A'+''- = 

((5*+'^, S, q^'^'^ , S^'^'^, F^+i^'j be the two last automata of an incrementally growing se- 
quence of automata Si = A\ . . . , Assume that GROW i^s,){A^+^-^) = 

{01^+'-' . . . , Qlt^r'], Qrt'"'} and GROW^^s,){A'+^) = {Q'i^\{Q'i^\ 
• ■ ■ ' 'S/t^i}' Qt^I'}- We say that ^'+'=-1 and A^'^^ are communication stable if and 
only if for each pair of corresponding states (by the increment isomorphism) (g, g'), 
q e Q^H^^^ and q' £ Q^'', and a G E, we have that, either 

— J«+fc-i(g^a) £ Q^''"^ and J'+''((7',a) e Q^'', hence leading to corresponding 

states by the existing head isomorphism between Q^*""^ and Q^'^, or 
— 5^^^~^{q,a) and S''^^{q' ,a) are both undefined, or 

—5'+^'^{q,a) = q)+''-^ G Qt^''"^ and 5'+^{q' ,a) = q'+'' £ Q^+'^', hence leading to 
corresponding states by the existing tail-end set isomorphism between Q^r^^^^^ 
and Q^'', or 

— J'+'---i(g^a) £ Q^j^^^^ and (5*+''((7', a) G Q/^'', hence leading to corresponding 
states by the existing increment isomorphism between Q^^^~^ and Q^j^^ (0 < 
:r < fc - 1). 

8. EXTRAPOLATION ALGORITHMS 

To extrapolate a possibly infinite sequence of minimal finite-word (respectively, 
minimal weak Biichi) automata A^,A^,... we try to extract and extrapolate one 
of its finite incrementally growing sampling sequences Si = A'^° , ■ • ■ , A^'' ■ The 
"candidate" extrapolation for A^, A^, . . . is then given by the extrapolation of the 
sequence Si. Let A'^° = A^'' be the last automaton of Si. In order to extrapolate 
Si, we simply insert an extra increment between the head part of A'^^ and its head 
increment Q j° , and define its outgoing transitions in order to make this extra incre- 
ment communication equivalent to Qj" . By repeatedly applying this extrapolation 
step we obtain an extrapolated infinite sequence of automata A^'^ , A'^'^ , . . . which 
is assumed to be the infinite extension of the sampling sequence Si. Formally, the 
extrapolated sequence of origin A'^° is the infinite sequence of minimal automata 
A^o,^'^!, . . . such that 

— For each i > 0, A"" , , . . . , A"''-^ , A''^ , A''^ . . . , A"' grows incrementally; 
— For each i > 0, A^' is communication stable with A'^°; 

— For each i > 0, the head increment detected between A^^-'^ and A"^' is communi- 
cation equivalent to Q'i°- 
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Fig. 7. Illustration of the extrapolation procedure for finite- word automata. 

The limit ^4*^* of the extrapolated sequence of origin A'^" is thus an extrapolation 
of the limit oi A^,A^,. . . . In this section, we present procedures to build a finite 
representation for A'^' . For technical reasons, the cases of finite-word and weak 
Biichi automata arc considered separately. 

8.1 Finite-word Automata 

Assume A'^° to be a finite-word automaton. We propose to build a finite repre- 
sentation of A'^' by adding to A'^° new transitions that simulate the existence of 
additional increments. 

Consider the automaton A^" with GROW (s,){A'">) = {Qh AQf', ■ ■ • , Q!"_, }, 
Q^^}- Suppose the existence of a transition labeled by a from a state x of Q'j° 
to a state x' of Q^" . Since, the increment Q'j^ added between A*^" and A'^'^ is 
communication equivalent to there must exist a transition t labeled by a 

from the state isomorphic to x in to the state isomorphic to x' in Qj^ ■ Our 
construction simulates t in A*^" by adding a transition <' labeled by a from x to the 
state isomorphic to x' in Q'j" . This construction can be repeated for the addition of a 
second increment. The simulation of "more than two increments" is done by adding 
transitions between states of Q^j° . Due to the communication equivalence property, 
a similar principle has to be applied for outgoing transitions from . The situation 
is illustrated in Figure 7 where a part of A"^" has been represented. The dashed 
transitions in the figure are the transitions added during the extrapolation process. 

Formally, a finite representation of A'^* can be built from A'^" with the construc- 
tion underlined in the following proposition. 

Proposition 8.1. Let A'^" defined over T, be a minimal finite-word automaton 
which is the last automaton of an incrementally growing sequence of automata Sj. 
Assume that GROW (s.M"") = {Qh AQl% • ■ • , Qi"_,h Qt^)- One can commute 
a finite-word automaton A''* that represents the limit of the extrapolated sequence 
of origin A'^° . 

Proof. Let 5 be the transition relation of A^° . The automaton A^'* can be built 
from A'^o by augmenting 5 using the following rule: 

For each state q e UQj" and a G S, if 5{q, a) leads to a state q' in an 
increment Qi. , 1 < j < fc — 1, then for each < ( < j, add a transition 
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Fig. 8. Automata for Example 8.2. 



a,+{0) 




Fig. 9. Illustration of the extrapolation algorithm for finite-word automata with the addition of 
counter values. 

{q,a,q"), where q" is the state corresponding to q' (by the increment 
isomorphism) in Q'j°. 

The added transitions, which include loops (transitions to Qj" itself) allow A''" to 
simulate the runs of any of the A'^^ [i > 0). Conversely, it is also easy to see all 
accepting runs generated using the added transitions correspond to accepting runs 
of some A'^^ . □ 

Example 8.2. Consider the minimal finite-word automaton A'''° given in Figure 
8(a), with = {0}, QZ = {1}, Qt = {2}, = {3}, QZ = {4}, and Q^; = 
{5,6}. Applying the construction of Proposition 8.1 to A'^° gives the automaton 
A'^' in Figure 8(b). 

We now show that it is possible to add a counter c to A'^* in such a way that when 
a word is accepted, the value of c is the smallest index i of the automaton A*^' of 
the extrapolation sequence by which the word is in fact accepted. Our construction 
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Fig. 10. Automaton for Example 8.4. 

labels each transition added to A'^" with a value that represents the number of 
increments simulated by this transition. In Figure 9 we sketch the construction for 
the automaton given in Figure 9. 

Proposition 8.3. Let A'^° = {Q,Y.,Qq,S,F) be a minimal finite-word automa- 
ton which is the last automaton of a finite incrementally growing sequence of au- 
tomata Si. Assume that GROW (s,){A'"') = {Qh AQf". ■ ■ • , Ql"_, }, Qt,} ^"'^ ^^t 
^ ^ extrapolated sequence of origin A'^° . One can compute a finite- 

word counter automaton A^' such that (1) L{A'^^*) = lJj>QL(j4'^"), (2) for each 
{w,i) G C{Al*), w e L{A'''), and (3) for each i>0, w e 0<j<i exists such 

that {w,j) e C{Al-). 

Proof. Let 5 be the transition relation of A'^" . The one-dimensional counter 
automaton A^* is given by (1, c, Q, S, Qq, A, F)^ with A defined as follows: 

—Start with A = {0}; 

— For each {q, a, q') G 5. add (g, (a, 0), q') to A; 

— For each state q G U QJ" and a G S, 

If 5{q, a) leads to a state q' in an increment Q/ , 1 < j < — 1, then 
for each < ^ < j, add to A a transition [q, {a,j — I), q"), where q" is 
the state corresponding to q' (by the increment isomorphism) in <5/° • 

□ 

Let A'^" be the counter-zero automaton corresponding to A'^" . We directly see that 
for each i > 0, -u; G \ LiA""), l<j<i exists such that {w,j) G jC{AI-) \ 

C{A'^°). Indeed, since w ^ L{A'^°), any accepted run on w must pass by states of 
one of the added increments and j cannot be equal to 0. 

Example 8.4. Figure 10 presents the result of applying the construction of Propo- 
sition 8.3 to Automaton A'^° of Example 8.2. 

8.2 Weak Biichi Automata 

Assume now A^° to be a deterministic weak Biichi automaton. In such a case, a 
finite representation of the extrapolated sequence of origin A"^" cannot be computed 
with the construction of Proposition 8.1. 
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Fig. 11. A weak Biichi automaton and its extrapolation with the construction of Proposition 8.1 . 

Example 8.5. Consider the minimal weak Biichi automaton A'^° given in Figure 
11(a), with Q'^ = {0}, Ql = {1}, QX = {2}, = {3}, and = {4,5}. 
Applying the construction of Proposition 8.1 to A'^° gives the automaton A*^' in 
Figure 11(b). This automaton accepts the word xa^ which cannot he accepted by 
one of the automata A*^' in the extrapolated sequence of origin A'^° . 

The example above shows that applying the construction of Proposition 8.1 to 
A^° may introduce new cycles from states of QJ' to themselves. Since the accepting 
runs of the can only go through a finite number of increments, it is essential to 
make these cycles nonaccepting. The problem can easily be solved, as stated with 
the following proposition. 

Proposition 8.6. Let A^° defined over T, be a minimal weak Biichi automaton 
which is the last element of an incrementally growing sequence of automata Sj. 
Assume that GROW (s,){A'"') = { Q^' ,{(?/„" , • ■ • , Ql"_^ }, Qt]}- One can compute 
a weak Biichi automaton A'^* that represents the limit of the extrapolated sequence 
of origin A'^° . 

Proof. Let 6 be the transition relation of A"^" . The automaton A'^* that repre- 
sents the limit of the extrapolated sequence whose origin is A'^° can be built from 
A'^° by augmenting its set of states and transitions with the following rules: 

(1) Build an isomorphic copy Ai^^copy of the automaton formed by the states in Qf', 
the transitions between them, and the outgoing transitions from these states 
to states in QJ°, Q%, . . . , Q]l_^, and ; 

(2) Make all the states of Ajgcopy nonaccepting; 

(3) For each state q S Q'j° U and a G S, if d{q,a) leads to a state q' in an 
increment Q/", 1 < .7 < fc — 1, then 

(a) For each 1 < i < j, add a transition {q,a,q"), where q" is the state 
corresponding to q' (by the increment isomorphism) in Q'j". Also, add a 
transition {q,a,q"), where q" is the state corresponding to q' in Ajgcopy] 

(b) If q e Qi„, then let qcopy be the state corresponding to q in Ajgcopy- For 
each 1 < i < j , add a transition {qcopy, a, q"), where q" is the state corre- 
sponding to q' (by the increment isomorphism) in Q'j" . Also, add a transi- 
tion {qcopy, a, 9") I where q" is the state corresponding to q' in Ajgcopy- 
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Fig. 12. A weak Biichi automaton for Example 8.7 . 








(c) Al' 

Fig. 13. Biichi automata for the proof of Proposition 8.8 . 

□ 

The construction in the proposition above follows from the one given in Proposition 
8.1. The only slight difference is in the duplication of the head increment, which is 
needed to make sure that new cycles added to A^^' are nonaccepting. 

Example 8.7. The automaton in Figure 12 is the result of applying the con- 
struction of Proposition 8.6 to Automaton A'^" of Example 8.5. 
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Proposition 8.8. Let A"^* be the result of applying the construction of Propo- 
sition 8. 6 to A'^° , the last automaton of a finite incrementally growing sequence of 
deterministic weak Biichi automata. The automaton A"^* may not be weak deter- 
ministic. 

Proof. Consider the minimal weak Biichi automaton A"^" given in Figure 13(a), 
with = {6,4}, = {7}, Q'jI = {5}, and Q^? {0,1,2,3,8}. Applying 
the construction of Proposition 8.6 to A^" gives the nondeterministic weak Biichi 
automaton A^* in Figure 13(b). In this automaton, the state labeled by 9 is the 
duplication of Qj°. The result of determinizing Al' is the deterministic co-Biichi 
automaton A2' that is given in Figure 13(c). It is easy to see that this automa- 
ton is not inherently weak and, consequently, cannot be turned to a weak Biichi 
automaton. □ 

Following what has been done for the case of finite-word automata, we now 
propose to add a counter c to A'^* in such a way that when a word is accepted, the 
value of c is the smallest index i of the automaton A*^^ of the extrapolated sequence 
by which the word is in fact accepted. 

Proposition 8.9. Let A''-" = {Q, S, Qq, S, F) be a minimal weak Biichi automa- 
ton which is the last element of an incrementally growing sequence of automata Sj. 
Assume that GROW (^SjM^") = {Qh AQl% ■ ■ ■ ^ Ql"_,}^ <3r°} ^nd let A'">,A''\... 
be the extrapolated sequence of origin A'^° . One can compute a run-bounded weak 
Biichi counter automaton A^' such that (1) i(Aj;*) = IJ^xjj4^% (2) for each {w,i) 
£ yC(y4.J;*), w G L{A'^^), and (3) for each w G L{A'^^), j<i exists such that {w,j) G 
CiAt'). 

Proof. Let S be the transition relation of A'^" . The one-dimensional counter 
automaton A'^' is given by (1, c, Q' , E, Qq, A, F) , with Q and A defined as follows: 

(1) Start with A = {0}; 

(2) For each {q,a,q') G J, add {q,{a,0),q') to A; 

(3) Build an isomorphic copy Ai^copy of the automaton formed by the states in Q'j° , 
the transitions between them, and the outgoing transitions from these states 
to states in Q'j", Q/", . . . , and Q^'^. All the transitions arc associated 
with the counter increment 0; 

(4) Make all the states of Ajgcopy nonacccpting; 

(5) For each state q G Qj|^ U and a G S, if 6{q, a) leads to a state q' in an 
increment Q/", 1 < .7 < fc — 1, then 

(a) For each I < i < j, add to A a transition {q, {a,j — I), q"), where q" is the 
state corresponding to q' (by the increment isomorphism) in Q'j". Also, 
add a transition {q, {a,j),q"), where q" is the state corresponding to q' in 

Ai^copy', 

(b) If q G Q/o, then let 

Qcopy be the state corresponding to q in Aj^^Qpy. For 
each 1 < £ < j, add to A a transition {qcopy, {a,j — l),q"), where q" is the 
state corresponding to q' (by the increment isomorphism) in Q'j° . Also, 
add a transition {qcopy, (oj j), q"); where q" is the state corresponding to q' 
in Ajgcopy- 
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Fig. 14. Automaton for Example 8.10. 

□ 

Let Al" be the counter-zero automaton corresponding to A^". From the observa- 
tions above, we directly see that for each z € No w G L{A'^^) \ L{A'^°), l<j<i exists 
such that {w,j) e CiA"^') \ CiA"^}"). 

Example 8.10. Figure I4 presents the result of applying the construction of 
Proposition 8.9 to Automaton A*^" of Example 8.5. 

9. SAFETY AND PRECISENESS 

After having constructed a finite automaton A'^* representing the extrapolation 
of a sequence A^ , A^, . . . of automata, it remains to check whether it accurately 
corresponds to what we really intend to compute, i.e., |Jj>o This is done by first 
checking that the extrapolation is safe, in the sense that it captures all behaviors 
of lJi>o ^'^'^ then checking that it is precise^ i.e., that it has no more behaviors 
than IJi>o^'- check both properties using sufficient conditions. We develop 
separately these conditions for the two ((jj-)Regular Reachability Problems. 

Remark 9.1. As we already mentioned in the introduction, the ability to ex- 
trapolate an infinite sequence of automata has other applications than solving the 
(a;-)Regular Reachability Problems (see [Bouajjani et al. 2004; Cantin et al. 2008] 
for examples). Depending on the problem being considered, we may have to use 
other correctness criteria than those that are proposed in this paper. 

9.1 Transitive Closure of a Transducer 

Consider a refiexive deterministic finite- word (respectively, deterministic weak Biichi) 
transducer T and let be the last element of an incrementally growing sam- 
pling sequence Si of powers of T. Assume that T'^° is the origin of an extrapo- 
lated sequence T'^° , T*^^ , . . . . The limit of this sequence is the transducer T'^' with 
L{T'^') = Ui^o^(-^'^') ^^^^ li^-s been computed by applying the construction of 
Proposition 8.1 (respectively. Proposition 8.6) to . We provide sufficient criteria 
to test whether L{T*) = LiT"'). 

We first determine whether T*^* is a safe extrapolation of T, i.e., whether L{T*) C 
L(T'^*). For this, we propose the following result. 

Proposition 9.2. Let Ti and T2 be two reflexive transducers defined over the 
same alphabet. IfL{T2oT2) C ^(Ta) and L{Ti) C L{T2), then L{T*) C L{T2). 
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Proof. Wc show by induction that for each i > 0, L{Tl) C L{T2). The base 
cases, i.e., L{T^) C ^(Ta) and L{Ti) C ^(Ta), hold by hypothesis. Suppose 
now that i > 1 and that the result holds for any k < i. It is easy to see that 
L{Tl) C L{T2). Indeed, L{Tl) = L{Tl-^ oTi) C L(T2oTi) C L{T2oT2) C L{T2). 
The first inclusion holds by induction, the second because L{Ti) C L{T2), and the 
third is by hypothesis. □ 

By construction, L[T) C L{T'^*) and, moreover, T is reflexive. Consequently, 
Proposition 9.2 states that if L(r'=* o T'^*) C LiT"'), then T"* is a safe extrap- 
olation of T* . This criterion is only sufficient since their could exist two words 
'w,w' € L{T^') such that w, w' ^ L{T*) and w o w' ^ L{T'^*). In practice, checking 
the condition expressed by Proposition 9.2 requires to complement T^' . Indeed, 
this condition is equivalent to checking whether the language accepted by the au- 
tomaton which is the intersection of the automaton for T*^* o T'^* and the one for 
the complement of T'^* is empty or not. When working with weak automata, T*^* 
is by construction weak but generally not deterministic (see Proposition 8.8). Our 
approach consists in determinizing T'^* , and then checking whether the resulting 
transducer is inherently weak. In the positive case, this transducer can be turned 
into a weak deterministic one and easily be complemented by inverting the sets of 
accepting and nonacccpting states. Otherwise a Biichi complementation algorithm 
has to be applied. 

We now turn to determine whether T"^* is a precise extrapolation of T, i.e., whether 
L{T^') C L(T*). For this, we again provide a partial solution in the form of a 
sufficient criterion. The "preciseness" problem amounts to proving that any word 
accepted by T^* , or equivalently by some T'^' , is also accepted by an iteration 
of the transducer T. The idea is to check that this can be proved inductively. The 
property is true by construction for the transducer T"^" from which the extrapo- 
lation sequence is built. If wc can also prove that, if the property holds for all 
with J < z, then it also holds for T*^' , we are done. For this, wc propose the 
following theorem. 

Theorem 9.3. Let T andT^* be two transducers andT^° he a power ofT. As- 
sume an infinite sequence of transducers T'^° , T^'^ , ■ ■ ■ , and let L{T'^*) = (J^g LiT'^^). 
If 

\fw,\fi >0[we L{T''')\L{T'<') 30 <j,f <i,we L(T"^oT"^)], (1) 

then LiT"') C L{T*). 

Proof. The proof is by induction: we show that for each i > 0, L{T^^) C L{T*). 
The base case, i.e., L{T'^°) C L{T*), holds by hypothesis. Suppose now that 
i > and that the result holds for any j < i. We show that L{T'^^) C L{T*). 
Consider a word w € L(r^'). If w e L(T'=o), then the result holds. If w ^ L(T^«) 
then, by Condition (1) there exist j,/ < i, w' e LiT"^), w" e L(r'=j') such that 
w — w' o w" . Since, by inductive hypothesis w',w" £ L{T*), ni,n2 S N exist such 
that w' e L(r"i) and w" e L{T"-'). We thus have w G L(T"i+"2)^ □ 

Theorem 9.3 reduces the problem of checking the preciseness of T*^* to the one of 
testing whether Condition (1) is satisfied or not. We now go one step further and 
reduce this test to automata-based manipulations. 
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Lemma 9.4. Let T*^" he the last element of an incrementally growing sampling 
sequence Sj of transducers, and Tf° he the counter-zero automaton corresponding 
to . Assume that T'^" is the origin of an extrapolated sequence T'^",T'^^, . . . and 
let T^* , T^* , T^* be three copies of the counter transducer T^' which is obtained by 
applying the construction of Proposition 8.3 (respectively, Proposition 8.9) to T'^° . 
If 

£(7r(^{,,,,3j)[(T- n, (T- o, r-))^^>{^-^-^>)]) = C{T!')\ CiT^"), (2) 

then 

yw,yi > [lu e L{T''^)\L{T'">) ^ 30<jj' <i,we i(T"^oT<)]. 

Proof. Observe that the counter language of 7r(^{c2,c3}) [{T^;-nc{T^^'o^T;;^')y^>i''^'''^^ 
is the counter language of T^' from where one has removed all the pairs {w, i) for 
which there is not [w'^j < i), {w",j' < i) £ C{T^') with w ^ w' o w" . For each 
i and each word w, if w; G L{T^^) \ L(T'^°) then, by Proposition 8.3 (respectively. 
Proposition 8.9), there exists k > G N such that {w,k<i) € C{T^') \ CiT^"). 
Since Condition (2) holds, there exist j,j' e N with < k<i and two words 
w',w" such that {w',j) G CiT^') and {w",j') e C{T^-), with w ^ w' o w" . By 
Proposition 8.3 (respectively, Proposition 8.9), w' G L{T'^^) and w" G L{T'^i') and 
w G L(r'=J oTS'). □ 

We can now state our main result. 

Theorem 9.5. Let T he a transducer, T'^° the last element of an incremen- 
tally growing sampling sequence Si of powers of T , and the counter-zero au- 
tomaton corresponding to T'^° . Assume that T'^° is the origin of an extrapolated 
sequence T'^°,T'^^, . . . and let T'^* he the transducer that has been obtained hy ap- 
plying the construction of proposition 8.1 (respectively. Proposition 8.6) to T*^" . 
Let T^* , T^* , T^* he three copies of the counter transducer T^* which is obtained 
by applying the construction of Proposition 8.3 (respectively. Proposition 8.9) to 
T^o, //£(^(^^,^^,3„[(r,-; n, (T^; o,T^^.))-i>{^=.-3})]) ^ C{T^^*) \ C{T^eo^ , then 
L{T^-) C L{T*). 

Proof. By Proposition 8.1 (respectively. Proposition 8.6), we have L{T'^*) = 
According to Lemma 9.4, since 

^('^(#{c.,c3})[(r- n, (T- o, r-))^^>{^-^-3>)]) = £(r-) \ c{t!"), 

we have 

Vw,Vi > [w G L{T''^)\L{T''«) ^ 30 <j,j' <i,we LiT"' oT"'^)]. 
It follows from Theorem 9.3 that LiT"') C L{T*). □ 
Condition (2) can be implemented as follows : 

—Observe that, since C{tt^^{^^^c^^-) [{T^^' Dc {T;:; o^T^^; ))=i>{'=2'«>)]) is disjoint from, 
checking £(7r(^^,,.,3})[(T^;nl(T,-;o,T,^;))-i>{--^3})]) = C{T^^.)\C{T^o) is equiv- 
alent to check /:(7r(^{,„,3})[(T,-; n, [T!; o, T^^.))ci>{c..c3})] T,-o) ^ c{T!'), 
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which avoid to compute C{T^*) \ C{T^'>). Computing C{T^') \ C{T^°) is a hard 
problem, which requires the abihty to distinguish between accepting and nonac- 
cepting runs that assign the same counter valuation to a given word. 

— There arc algorithms to compute Pic, 0^, and {^{02,03})- Those algorithms di- 
rectly follow from the definitions given in Section 3. Observe that if T is weak, 
then the counter automaton for T^* He {T^* T^^ ) is run-bounded weak. 

— We do not compute the one-counter automaton for {T^* He {T^^ o^T^^^* ))'^i>'t^2,c3}^ 
but a M-synchronized counter automaton whose language and counter languages 
may be subsets of those of (T^; He {T^; o^T^^)Y^>^''^^''^'t . We follow the method- 
ology described in Section 3, and compute the extended- intersection between the 
automaton T^* He {T^^ o^. T^^ ) and two finite-word (respectively, run-bounded 
weak Biichi) Af-Universal-synchronized counter automata, one which is synchro- 
nized w.r.t. counters ci and C2, and the other one w.r.t. counters ci and C3. 
Assume that Y? is the alphabet of T and d is the maximal increment value of 
T^' . The extended alphabet of is E x [0, d] , and the one of T^- C^c {T^; Oc T^; ) 
is thus X [0, d]^ (see constructions for and He). In our experiments (see 
[Legay 2007] for details), we worked with counter automata whose extended al- 
phabet is 'T? X [0, d] , and such that ci is M-synchronized with respect to C2 
and C3, with M = 2xd. This choice turned out to be the best compromise for 
our experimental results [Legay 2007; T(0)RMC ], where we clearly observed a 
synchronization between the counters. 

— We reduce the problem of checking the equivalence between the counter languages 
of the two members of the equality to the one of checking the equivalence between 
the languages of their extended automata (see Proposition 3.13). 

Observe that, if L{T*) = L{T'^*), then the transducers T*^' («>0) may consti- 
tute new elements in an extension of the sampling sequence Si, i.e., if Sj = 
T^n , , . . . , T'" with T"" = T"" , then the extension is T'^T'^ . . . , T'" , T^^+i , 
^^''■+^ . . . , with r'*'=+' = r^- for each i>0. Condition (1) is thus particularly de- 
signed to hold for sampling sequences where each transducer can be obtained by 
a single composition of transducers that appear before in the sequence. Indeed, 
the condition can be read as follows: each transducer T'^^ in the extended sampling 
sequence is the composition of two transducers T*^' and T'^j' that appear before in 
this sequence. If more than one composition is needed, then the condition may not 
be satisfied even if L(T^*) = L(T*). Condition (1) can be adapted to work with 
other sampling sequences. This is illustrated with the following example. 

Example 9.6. // each transducer in the sampling sequence is obtained by com- 
posing n transducers that appear before in the sequence, then one can test whether 
the following condition holds 

\/w,Wi >0[w£ L{T^')\L{T''°) => 30<ji,...,j„ < i,w e L(r'=^i o . . . oT^^- )], (3) 
rather than to test whether Condition (1) holds. 
Theorem 9.5 easily extends to other sampling sequences. 

ACM Transactions on Computational Logic, Vol. V, No. N, 20YY. 



On (Omega-)Regular Model Checking • 35 



9.2 Limit of a Sequence of Reachable Sets 

This section lifts the results obtained in the previous section to the case where 
one computes the limit of a sequence of reachable states. We consider a reflex- 
ive finite-word (respectively, deterministic weak Biichi) transducer T and a deter- 
ministic finite-word (respectively, deterministic weak Biichi) automaton A. Let 
A'^" be the last automaton of an incrementally growing sampling sequence Si of 
A, T^{A), r^(A), T^{A), and assume that A""-^ is the origin of an extrapolated 
sequence A'^° , A'^^ , . . . . The limit of this sequence is the automaton A'^* with 
L{A^*) = {J^QLiA"^^) that has been computed by applying the construction of 
Proposition 8.1 (respectively, Proposition 8.6) to A^° . We provide sufficient crite- 
ria to test whether L{T*{A)) = L{A^'). 

We first determine whether A'^' is a safe extrapolation of T*(A), i.e., whether 
L{T*{A)) C L{A'^'). For this, we propose the following result. 

Proposition 9.7. Let Ai and A2 he two automata defined over the same al- 
phabet S and with L{Ai) C L{A2). Let T he a reflexive transducer over Y? . If 
L{T{A2)) C L{A2) thenL{T*{Ai)) C £(^3). 

Proof. By hypothesis, we have L{Ai) C L{A2). We show by induction that 
for each i > 0, i(T*(Ai)) C L{A2). The base cases, i.e., L{Ai) C L{A2) and 
L{T{Ai)) C L{A2), hold by hypothesis. Suppose now that i > 1 and that the 
result holds for any j < i. It is easy to see that L{T^{Ai)) C L{A2). Indeed, 
i(T*(Ai)) = L{T{T'-\Ai))) C L{T{A2)) C ^(Aa). The first inclusion holds by 
induction and the second because L{T{A2)) C L{A2). □ 

Proposition 9.7 states that checking whether A"^' is a safe extrapolation of IJ,^q T'^{A) 
can be done by checking whether i(T(A'^')) C L(A'^*). It is worth mentioning that 
this criterion is only sufficient. Indeed, their could exist a word w G L{A'^*) such 
that w ^ L{T*{A)) and w ^ i(T(A^-)). 

We now turn to determine whether A'^' is a precise extrapolation of T*{A), i.e., 
whether L{A'^') C L{T*{A)). As in Section 9.1, we use an inductive argument, 
which is formalized with the following theorem. 

Theorem 9.8. Let T he a transducer and A, A'^* be two automata. Let A'^° = 
T^{A), and consider an infinite sequence of automata A^^jA^^, . . . , with L{A'^') = 

Vwyi >0[we i(A"0 ^ 30 < J <i,we i(T(A"0)], (4) 

then LiA"')) C L{T*{A). 

Proof. The proof is by induction: we show that for each i>0, L{A'^') C 
L{T*{A)). The base case, i.e., L^A""") C L(T*(A)), holds by hypothesis. Sup- 
pose now that i > and that the result holds for any j < i. We show that 
i(A^') C L{T*). Consider a word w G LiA"'). If w G £(A'=°), then the result 
holds. Assume now that w ^ L{A'^°). By Condition (4), there exists j < i such 
that w G L{T{A^^)). Since, T is reflexive and by inductive hypothesis, there exists 
n such that LiA'-^) C L{T"{A)). We thus have w G L(T"+i(A)). □ 
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We now go one step further and reduce the verification of Condition (4) to simple 
automata-based manipulations. 

Lemma 9.9. Let T be a reflexive transducer and A be an automaton. Let A'^° 
be the last automaton of an incrementally growing sampling sequence Si of A, 
T^{A), T'^{A), T^(A), and assume that A'^° is the origin of an extrapolated sequence 
j[eo ^ j^ei ^ ^ ^ i^-j- j^e, ^ ^e, copics of the countcr automaton A^' that is ob- 

tained by applying the construction of Proposition 8.3 (respectively. Proposition 8.9) 
to (A'^" ,GROW (^gj){A'^'')). Let A'^^° be the counter-zero automaton corresponding to 
A^o. Lf 

C{7T^^c,)[{Al; n,T{Al;)r>^^)]) ^ C{Al')\C{Al'>), (5) 

then 

Vw,Vi > [u; e L{A''")\L{A'''°) ^ 30<j <i,we i(T(A"0)]- 

Proof. Observe that the counter language of 7r(^c2)[(^ci r(A^* ))'=i>'=2 is 
the counter language of A^* from where one has removed all the pairs [w, i) for 
which there is no pair {w',j < i) £ £(A^*) with w & L(T{A.w')) (where A^' is an 
automaton whose language is {w'}) have been removed. For each i and each word 
w, ii w G L{A^') \ L{A^") then, by Proposition 8.3 (respectively, Proposition 8.9), 
there exists k > G N such that {w,k<i) G £{Al*). Since Condition (5) holds, 
there exists j gN with j < k<i G N and a word w' such that {w' ,j) G C{T^' ) with 
w = L{T{A^i)). By Proposition 8.3 (respectively. Proposition 8.9), w' G L{A'^^) 
and e L(r(A'=0)- □ 

Finally, we obtain our main result. 

Theorem 9.10. Let T be a reflexive transducer and A be an automaton. Let 
A'^° be the last automaton of an incrementally growing sampling sequence Sj of 
A, T^{A), T'^{A), T^{A), and assume that A'^" is the origin of an extrapolated 
sequence A"^" , A"^^ , . . . Let A"^* be the automaton that has been obtained by applying 
the construction of Proposition 8.1 (respectively, Proposition 8.6) to A'^" , and let 
^ci I ^'^^ copies of the counter automaton A^* that is obtained by applying 

the construction of Proposition 8.3 (respectively, Proposition 8.9) to A'^° . Let A^° 
be the counter-zero automaton corresponding to A'^° . If 

/:(7r(^,,)[(A- n,r(A-))^^>^^)]) ==/:(A-)\/:(A^«), 

then L{A^') C L{T*{A)). 

Proof. By Proposition 8.1 (respectively. Proposition 8.6), we have L{A^*) = 

According to Lemma 9.9, since 

/:(7r(^,,)[(A- n,T{Ai;)r>^^)])^c{Ai'), 

we have 

\fw,yi >0[wG L{A''')\L{A''°) => 30<j <i,wG L{T{A^'))]. 
It follows from Theorem 9.9 that L(A^-) C L{T*{A)). □ 
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Theorem 9.10 states a sufficient criterion to check whether A'^* is a precise extrap- 
olation of T*{A). This criterion amounts to test whether Condition (4) holds. For 
this, wc proceed like for Condition (2). 

Observe that, if L{T*{A)) = L^A"*), then the automata A"' (i>0) may con- 
stitute new elements in an extension of the sampling sequence Si, i.e., if Si = 
A''°,A'\..., A"" with A'"" = A"" , then the extension is A''" , A"^ , . . . , A"" , A'"'+^ , 
^sfc+2J • • • 5 with ^4*'"+' = A^' for each i>0. Condition (4) is thus particularly de- 
signed to hold for sampling sequences where each element can be obtained from the 
previous one by a single application of the transducer T. Indeed, the condition can 
be read as follows: each automaton A'^'- in the extended sampling sequence can be 
obtained by applying T to an element that appears before in the sequence. If more 
applications of T are needed, then we may have to adapt the condition. This is 
illustrated with the following example. 

Example 9.11. // each element in the sampling sequence is obtained by applying 
the transducer T k > 1 times to the previous element in the sequence, then one can 
test whether the following condition holds 

Vw,Vi > [w e L{A''^)\L{A'">) ^ 30<j <i,we L(r'^X^'O)]- (6) 

rather than to check Condition (4). 

This observation states for sampling sequences where the number of applications 
of T needed to build each element from the previous one is constant. In [Legay 
2007], we proposed another approach that consists in associating to each state 
of the system an integer variable that counts the number of applications of the 
reachability relation needed to reach this state from the initial set of states. Using 
this "counter variable" , we can propose a prcciscness criterion whose induction is 
based on the number of applications of the reachability relation rather than on the 
position in the sampling sequence. Contrary to the techniques presented in this 
section, the counters are no longer introduced during the extrapolation process, 
but arc present in all the steps of the computation. This is a "key point" to ensure 
the preciseness when considering a nonlinear sampling sequence, but this clearly 
influence the extrapolation process and the increments detection. As observed in 
[Legay 2007] , this approach is of particular interest when dealing with systems that 
manipulate integer/real variables. However, the solution in [Legay 2007] is not 
a panacea. Indeed, as an example, it is known that the transitive closure of the 
relation {{x,2x)} in basis 2 is regular, but the transitive closure of the relation 
{{{x, y), {2x, y + 1))} is not regular. 

10. IMPLEMENTATION AND EXPERIMENTS 

This section briefly discusses an implementation of our results as well as the exper- 
iments that have been conducted. 

10.1 Heuristics 

Implementing the technique presented in this paper requires potentially costly com- 
position and determinization procedures. In [Boigelot et al. 2003; 2004; Legay 2007], 
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we proposed two heuristics that, in some situations, reduced to computation time 
from days to seconds. Experimental results, which are presented in Chapter 7 of 
[Legay 2007] , show that those heuristics are particularly useful when working with 
arithmetic systems. 

10.2 The T(0)RMC Toolset 

The results presented in this paper have been implemented in the T( 0)RMC (states 
for Tool for (bj-)Regular Model Checking) toolset [Legay 2008], which relies on the 
LASH TooZset [LASH ] for automata manipulations. 

The LASH toolset is a tool for representing infinite sets and exploring infinite 
state spaces. It is based on finite-state representations, which rely on finite au- 
tomata for representing and manipulating infinite sets of values over various data 
domains. The tool is composed of several C functions grouped into packages. The 
LASH toolset implements several specific algorithms for solving the (<x'-)regular 
reachability problems of several classes of infinite-state systems, which include 
FIFO-queue systems [Boigelot and Godefroid 1996; Boigelot et al. 1997], systems 
with integer variables [Boigelot 2003] , and linear hybrid systems [Boigelot et al. 
2003; Boigelot and Herbreteau 2006]. 

T(0)RMC extends the LASH toolset with the generic algorithm presented in this 
paper. Contrary to the specific algorithms of LASH, the algorithm of T(0)RMC is 
applicable to any system that can be represented in the (a;-)Regular Model Checking 
framework. This makes it possible to handle classes of infinite-state systems that 
are beyond the scope of specific algorithms, e.g., parametric systems. T(0)RMC is 
divided into three packages, which arc briefly described hereafter. 

(1) The transducer package that provides data structures and algorithms to ma- 
nipulate transducers (composition, image computation, . . . ). The package also 
provides several heuristics to improve the efficiency of the operations. 

(2) The extrapolation package for detecting increments in a sequence of automata, 
and extrapolating a finite sampling sequence. The tool allows the user to precise 
(1) which sampling strategy has to be used, and (2) how to build the successive 
elements in the infinite sequence. 

(3) The correctness package that provides data structures and algorithms to check 
the correctness of the extrapolation for several classes of problems. The package 
also contains all the data structures and algorithms to manipulate counter-word 
automata. 

T(0)RMC can be used to compute an extrapolation of a possibly infinite sequence 
of automata S = , . . . . For this, the user has to provide the following two 

functions: 

— A function named SAMPLING that takes as arguments two integers i and j. 
Each time T(0)RMC calls the function, it sets i and j to the indexes of two 
automata A^ and , such that A^ is incrementally larger than A'. The function 
returns an automaton A^ which is assumed, by the user, to be the next automaton 
in a sampling sequence whose two last elements are A^ and A^ . 

— A function named CHECK that takes as argument an automaton A^* . If the 
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function returns yes, then T(0)RMC assumes that A'^' is the extrapolation ex- 
pected by the user. This is this function that implements the checks for safety 
and prccisencss. 

To extrapolate the infinite sequence of automata S, T(0)RMC behaves as follows: 

(1) T(0)RMC computes finite prefixes of S until it finds two automata A' and 
such that A^ is incrementally larger than A\ 

(2) T(0)RMC then tries to compute an incrementally growing sampling sequence 
Si, assuming that the two first elements of this sequence are A* and A^ . The 
automata arc added one by one to the sampling sequence, using the function 
SAMPLING. Each time a new automaton is added, the tool checks whether 
Si is still incrementally growing. If no, then T(0)RMC goes back to point (1) 
and consider a prefix of a longer size. If yes, then T(0)RMC extrapolates Si 
and produces an automaton A"^* . This extrapolation is followed by a call to the 
function CHECK on A^* . If the function returns yes, then the computation 
terminates, and A"^* is the automaton returned by the tool. If the function 
returns no, then the tool tries to increase Si by adding one more automaton. 

10.3 A brief Overview of the Experiments 

The T(0)RMC toolset has been applied to more than 100 case studies. This section 
only briefly recaps the classes of problems for which T(0)RMC has been used so 
far. Details about the experiments (including performances in terms of time and 
memory, which vary from examples to examples) can be found in Chapters 7 and 
13 of [Legay 2007]. 

We first used T(0)RMC to compute an automata-based representation of the 
set of reachable states of several infinite-states systems, including parametric sys- 
tems, FIFO-queue systems, and systems manipulating integer variables. Others 
experiments concerned the computation of the transitive closure of several arith- 
metic relations. It is worth mentioning that the disjunctive nature of some relations 
sometimes prevents the direct use of specific domain-based techniques [Finkel and 
Leroux 2002; Boigclot and Hcrbretcau 2006]. Wc also apphed T(0)RMC to the 
challenging problem of analyzing linear hybrid systems. One of the case studies 
consisted of computing a precise representation of the set of reachable states of 
several versions of the leaking gas burner. To the best of our knowledge, only the 
technique in [Boigelot and Herbreteau 2006] was able to handle the cases we con- 
sidered. Among the other experiments, we should also mention the computation of 
the set of reachable states of an augmented version of the IEEE Root Contention 
Protocol [Legay 2007] , which has been point out to be a hard problem [Simons and 
Stoelinga 2001]. The ability of T(0)RMC to compute the limit of an infinite se- 
quence of automata has other applications. As an example, the tool has been used 
in a semi-algorithm to compute the convex hull of a set of integer vectors [Cantin 
et al. 2007; 2008]. T(0)RMC was also used to compute a symbolic representa- 
tion of the simulation relation between the states of several classes of infinite-state 
systems [Bouajjani et al. 2004]. 

The main goal of T(0)RMC is not performance improvement, but to allow exper- 
imentation with automata sequence extrapolation in a variety of context that goes 
beyond ([j-)regular model checking problems. As such T(0)RMC is slower than 
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tools that are specific to solving such model checking problems for the arithmetic 
domain (e.g. FAST [Bardin et al. 2006], LIRA [Becker ct al. 2007], LASH), but 
is perfectly competitive when handling other regular model checking cases (para- 
metric systems, FIFO-queue systems, ...) [RMC ; Vardhan and Viswanathan 2006]. 
T(0)RMC relies on LASH for automata manipulations. The LASH toolset is ori- 
ented towards experimentation. It is thus less efficient for manipulating automata 
representing sets of real/integer numbers than LIRA and FAST that are oriented 
towards performances. 

11. A BRIEF COMPARISON WITH OTHER WORKS 

In this section, we briefly compare our approach with other generic techniques for 
solving the (w-) Regular Reachability Problems. 

The Regular Model Checking framework has first been proposed in [Kesten et al. 
1997] as a uniform paradigm for algorithmic verification of parametric systems. 
The contributions in [Kesten et al. 1997] are an automata-based representation of 
parametric systems and an algorithm to compute the transitive closure of the finite- 
word transducer representing the reachability relation of such systems. One major 
difference with our work is that the construction in [Kesten et al. 1997] can only 
be applied to a very specific class of finite-word transducers. 

In [Bouajjani et al. 2000; AbduUa et al. 2003], Nilsson et al. proposed sev- 
eral simulation-based techniques that, given a finite-word transducer T, compute 
a finite-state representation for r+. The core idea of those techniques is to iter- 
ately compute the successive unions T-^, T-^, T-'^, . . . (where T-' = IJL=i^") ^'^'^ 
collapsing progressively their states according to an equivalence relation, which is 
induced by the simulation relations. The results of [Bouajjani et al. 2000; AbduUa 
et al. 2003] have been implemented in a tool called the RMC toolset (states for Tool 
for Regular Model Checking) [RMC ], and tested on several parametric and queue 
systems for which good results have been obtained [Nilsson 2005] . Unfortunately, it 
seems that the relations used to merge the states of the successive unions have been 
designed to handle parametric and queue systems only. To the best of our knowl- 
edge, the RMC toolset cannot be used with other classes of systems such as linear 
integer systems. In [Dams et al. 2002], Dams, Lakhnech, and Steffen proposed a 
non-implemented simulation-based technique to compute T+. This technique is 
similar to those proposed in [Bouajjani et al. 2000; AbduUa et al. 2003]. 

In [Touili 2001; 2003], Touili proposed another extrapolation-based technique to 
solve the Regular Reachability Problems. The results presented in this paper share 
some notions with those in [Touili 2001; 2003]. Indeed, the core idea in the work 
of Touili is to compute an extrapolation of a finite-word transducer by comparing 
a finite prefix of its successive powers, trying to detect increments between them. 
One major drawback of Touili's work, which is not implemented, is that no efficient 
method is provided to detect the increments. There is no methodology to test 
whether the extrapolation is precise or not. It is however easy to see that our 
preciseness criterion directly adapts to Touili's extrapolation procedure. 

In [Vardhan et al. 2004; Vardhan 2006], Vardhan et al. apply machine learning 
techniques from [Angluin 1987; Rivest and Shapire 1993] to learn a finite-word 
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Fig. 15. Automata for Example 12.1. 

automaton that represents the set of reachable states of a regular system. The 
results in [Vardhan et al. 2004; Vardhan 2006] have been implemented in a tool 
called LEVER [Vardhan and Viswanathan 2006] , which has been applied to FIFO- 
queue and linear integer systems. A drawback with this approach is that it requires 
the addition of witness variables that may break the regularity of the set of reachable 
states. We also mention that in [Habermehl and Vojnar 2004], Habermehl et al. 
also proposed to use a learning-based approach to compute the set of reachable 
states of several parametric systems. 

Finally, even if they do not consider exactly the same problem as us, it is relevant 
to mention a series of recent work [Bouajjani et al. 2004; Bouajjani et al. 2005] 
that combine abstraction-based techniques with automata-based constructions to 
verifying reachability properties. Those works have been shown to be particularly 
efficient for parametric and queue systems [Bouajjani et al. 2004] as well as for 
systems manipulating pointers [Bouajjani et al. 2005]. On the other hand, one 
dedicated abstraction is needed for each class of system, while our extrapolation- 
based technique is designed to be applicable on any system that can be represented 
by a (ti;-)regular system. 

12. CONCLUSION AND FUTURE WORK 

In this paper, we have introduced an extrapolation-based technique for solving the 
(tj-)Regular Reachability Problems. The approach consists in computing the limit 
of an infinite sequence of minimal finite-word (respectively, minimal weak Biichi) 
automata by extrapolating a finite sampled prefix of this sequence, i.e., selected 
automata from a prefix of the sequence. The technique does not guarantee that a 
result will be obtained, and correctness of the guessed extrapolation needs to be 
checked once it is obtained. Our results have been implemented in a tool called 
T(0)RMC; which has been applied to several case studies. 

One possible direction for future work would be to extend the increment detection 
procedure described in Section 7. Indeed, as it is illustrated with the following 
example, the procedure is not able to detect all possible forms of increment. 

Example 12.1. Consider the finite-word automata given in Figure 15. The au- 
tomaton A2 differs from the automaton Ai by the addition of an increment, which 
is represented by state 1. If we compare A2 and A3, we see the addition of one 
more increment. Clearly, A3 differs from Ai by the addition of two increments rep- 
resented by states 1 and 2. Unfortunately, in A^, the increment detected between 
A2 and A^ (state 2 of A3) is the origin of a transition whose destination is the 
increment detected between Ai and A2 (state 1 of A3). Such a situation cannot be 
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captured with the technique introduced in Section 7. 

We could also investigate whether it is possible to detect the repetition of dif- 
ferent increment patterns in the same automaton. As an example, the automata 
representing ab, aabb, aaahhh, ... differ by the repetitions of the symbols a and b. If 
we separately close those repetitions, we will obtain an automaton that represents 
a^b^ . This language, which is an over approximation of the "correct" closure (i.e., 
a"6"' (n € No)), may be sufficient for practical applications. Another interesting di- 
rection would be to extend our results to other classes of automata, which includes 
tree and pushdown automata. 

Another interesting direction would be to extend our results to other classes 
of systems such as visibly pushdown systems [Alur and Madhusudan 2004] . We 
could isolate a class of systems for which we can always compute a safe and precise 
extrapolation. 

Finally, it would be of interest to extend (w-)Regular Model Checking to the 
verification of Open systems. As opposed to state-transition systems, open systems 
are systems whose behavior depends on an external environment. In a series of 
fairly recent papers, symbolic games [Abdulla et al. 2003; de Alfaro et al. 2001; 
Bouyer et al. 2005] have been proposed as a general framework to specifying finite- 
state Open systems [Adler et al. 2006; de Alfaro and Henzinger 2001; de Alfaro 
et al. 2005]. We believe that our work could help to extending this approach to 
infinite-state open systems. 
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